Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown malware


  • This topic is locked This topic is locked
28 replies to this topic

#1 Francesco Brighenti

Francesco Brighenti

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 26 February 2009 - 05:34 PM

Hello,

I am Italian (sorry for my bad English!). My Internet browser (IE) used to work fast with the use of my broadband connection till not long ago. Before last Christmas, something happened. Navigation on the Internet became slower and slower, sometimes blocking completely. When blocks occurred, the IE icon on the left edge of the blue bar on top of screen changes to a miniature white page with its blue bar on top, and this aspect of the icon can last from a few seconds to... forever (sometimes). In the same period, I noticed that a Trojan virus had apparently infected my PC (sorry, I forgot its name because now it is has apparently been removed by Norton Antivirus, which, however, was initially unable to remove it for weeks). Another strange, new feature was that very frequently a white page of IE opened automatically, and in the blue bar on its top there was no file name, only the program-name string "Microsoft Internet Explorer" comprised between two "~" symbols. If I did not close the thus generated pages, they multiplied incessantly.

Now, after nearly two months, all the above symptoms have disappeared but one: navigation on the Internet is sometimes extremely slow, sometimes blocking completely. Still now, when blocks occur, the IE icon on the left edge of the blue bar on top of screen changes to a miniature white page with its blue bar on top.

I hope I have described what happened in the best way possible. Help me, please! I need to use the Internet all the time due to my work and study exigencies, and that's becoming a torture! I also cannot use the System restore function of Windows XP (the operating system I use) to "clean" the register (if that is really the part of the system that is being affected) because this would mean to save thousands of files on another hard disk and, especially, to lose all the programs I have installed on my PC in the course of the last few years.

Thanks in advance, and best regards.

Francesco Brighenti
Venice, Italy

--------------------------------------

Here are the contents of the DDS.text log that I have saved on my desktop:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Proprietario at 22.43.46,90 on 26/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.735.289 [GMT 1:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Programmi\USB Storage RW\shwicon.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
svchost.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
C:\Programmi\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Proprietario\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\programmi\norton antivirus\engine\16.2.0.7\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmi\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programmi\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\programmi\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programmi\file comuni\nero\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\programmi\spybot - search & destroy\TeaTimer.exe
uRun: [irsee] "c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe" irsee
uRunOnce: [<NO NAME>] c:\programmi\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000097.000001cd
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KYE_Showicon] "c:\programmi\usb storage rw\shwicon.exe" -t"kye\USB Storage RW"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [Share-to-Web Namespace Daemon] c:\programmi\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [Piolet] c:\programmi\piolet\Piolet.exe SILENT
mRun: [SunJavaUpdateSched] "c:\programmi\java\jre1.6.0_07\bin\jusched.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [NBKeyScan] "c:\programmi\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\programmi\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [StorageGuard] "c:\programmi\veritas software\update manager\sgtray.exe" /r
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adobeg~1.lnk - c:\programmi\file comuni\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpcent~1.lnk - c:\programmi\hp center\137903\program\BackWeb-137903.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - c:\programmi\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NAV\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1002000.007\BHDrvx86.sys [2009-2-24 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1002000.007\cchpx86.sys [2009-2-24 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090217.002\IDSxpx86.sys [2009-2-24 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\norton antivirus\engine\16.2.0.7\ccSvcHst.exe [2009-2-24 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-18 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090226.003\NAVENG.SYS [2009-2-26 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090226.003\NAVEX15.SYS [2009-2-26 876144]
S1 6c31daa4;6c31daa4;c:\windows\system32\drivers\6c31daa4.sys --> c:\windows\system32\drivers\6c31daa4.sys [?]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\symantec\liveupdate\aluschedulersvc.exe" --> c:\programmi\symantec\liveupdate\ALUSchedulerSvc.exe [?]

=============== Created Last 30 ================

2009-02-25 22:08 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-02-18 23:42 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-18 23:42 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-18 23:42 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-18 23:42 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-18 23:42 <DIR> --d----- c:\programmi\Symantec
2009-02-18 23:41 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-02-18 23:41 <DIR> --d----- c:\programmi\Norton AntiVirus
2009-02-18 23:39 <DIR> --d----- c:\programmi\NortonInstaller
2009-02-14 23:36 4,007,214 a------- c:\windows\pfirewall.log.old
2009-02-11 01:27 579,584 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-11 01:22 <DIR> --d----- c:\windows\ERUNT
2009-02-11 01:06 <DIR> --d----- C:\SDFix
2009-02-10 22:34 154 a------- c:\windows\wininit.ini
2009-02-08 14:04 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-02-08 14:04 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-02-08 12:28 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-02-08 12:28 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-08 12:27 <DIR> --d----- c:\programmi\iPod
2009-02-08 12:27 <DIR> --d----- c:\programmi\iTunes
2009-02-08 12:27 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-08 12:27 <DIR> --d----- c:\programmi\Bonjour
2009-02-08 12:23 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-08 12:22 <DIR> --d----- c:\programmi\file comuni\Apple
2009-02-06 10:45 0 a--shr-- C:\khs
2009-02-06 10:45 336,888 a--shr-- C:\bcfmqr.exe
2009-02-04 23:09 505,856 a------- c:\windows\system32\old120.tmp
2009-02-03 21:43 40,960 a------- c:\windows\system32\drivers\tosrfusb.sys
2009-02-03 21:43 113,792 a------- c:\windows\system32\drivers\tosrfbd.sys
2009-02-03 21:43 73,600 a------- c:\windows\system32\drivers\Tosrfhid.sys
2009-02-03 21:42 36,480 a------- c:\windows\system32\drivers\tosrfbnp.sys
2009-02-03 21:42 18,612 a------- c:\windows\system32\drivers\tosrfnds.sys
2009-02-03 21:42 53,504 a------- c:\windows\system32\drivers\TosRfSnd.sys
2009-02-03 21:42 64,896 a------- c:\windows\system32\drivers\tosrfcom.sys
2009-02-03 21:42 41,600 a------- c:\windows\system32\drivers\tosporte.sys
2009-02-03 21:42 <DIR> --d----- c:\programmi\Toshiba
2009-02-03 21:22 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-02-03 21:22 8,192 a------- c:\windows\system32\wshirda.dll
2009-02-03 21:22 29,696 ac------ c:\windows\system32\dllcache\irmon.dll
2009-02-03 21:22 29,696 a------- c:\windows\system32\irmon.dll
2009-02-03 21:22 152,576 ac------ c:\windows\system32\dllcache\irftp.exe
2009-02-03 21:22 152,576 a------- c:\windows\system32\irftp.exe
2009-01-31 19:20 <DIR> --d----- c:\programmi\Xiph.Org
2009-01-28 14:32 <DIR> --d----- c:\programmi\MSXML 4.0
2009-01-28 12:56 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\PCSettings
2009-01-28 12:56 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\Norton
2009-01-28 12:54 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\NortonInstaller
2009-01-28 11:13 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\Nero

==================== Find3M ====================

2009-02-23 19:03 408,776 a------- c:\windows\system32\perfh010.dat
2009-02-23 19:03 55,420 a------- c:\windows\system32\perfc010.dat
2009-02-11 00:43 58,776 a------- c:\docume~1\propri~1\datiap~1\GDIPFONTCACHEV1.DAT
2009-01-27 17:47 80,343 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-27 12:35 23,604 a------- c:\windows\system32\emptyregdb.dat
2008-05-12 09:59 103,776 a------- c:\documents and settings\proprietario\System_Restore.exe
2008-05-12 09:58 357,768 a------- c:\documents and settings\proprietario\SymXPep2.dll
2008-04-29 14:55 251,216 a------- c:\documents and settings\proprietario\IView.exe
2007-01-02 11:26 20,155,344 a------- c:\programmi\SkypeSetup.exe
2007-01-02 11:23 36,808,256 a------- c:\programmi\iTunesSetup.exe

============= FINISH: 22.44.44,85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:07 PM

Posted 13 March 2009 - 07:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Francesco Brighenti

Francesco Brighenti
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 21 March 2009 - 07:27 AM

Dear Koan Yorel,

Thanks for reopening this Topic.

I have since NOT resolved the original problem I described in post #1. The current condition of my machine is always the same (to recapitulate it: navigation on the Internet is sometimes extremely slow, sometimes blocking completely with a disconnection of the Internet, and when such blocks occur, the IE icon on the left edge of the blue bar on top of screen changes to a miniature white page with its blue bar on top).

I have made no steps to correct this problem.

Here are the contents of the DDS.text log I have saved on my desktop today after running DDS once again as per your suggestion:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Proprietario at 13.08.01,03 on 21/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.735.322 [GMT 1:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Programmi\USB Storage RW\shwicon.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
svchost.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Proprietario\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\programmi\norton antivirus\engine\16.2.0.7\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmi\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programmi\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\programmi\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programmi\file comuni\nero\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\programmi\spybot - search & destroy\TeaTimer.exe
uRun: [irsee] "c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe" irsee
uRunOnce: [<NO NAME>] c:\programmi\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000097.000001cd
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KYE_Showicon] "c:\programmi\usb storage rw\shwicon.exe" -t"kye\USB Storage RW"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [Share-to-Web Namespace Daemon] c:\programmi\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [Piolet] c:\programmi\piolet\Piolet.exe SILENT
mRun: [SunJavaUpdateSched] "c:\programmi\java\jre1.6.0_07\bin\jusched.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [NBKeyScan] "c:\programmi\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\programmi\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [StorageGuard] "c:\programmi\veritas software\update manager\sgtray.exe" /r
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adobeg~1.lnk - c:\programmi\file comuni\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpcent~1.lnk - c:\programmi\hp center\137903\program\BackWeb-137903.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - c:\programmi\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NAV\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1002000.007\BHDrvx86.sys [2009-2-24 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1002000.007\cchpx86.sys [2009-2-24 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090310.003\IDSxpx86.sys [2009-3-11 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\norton antivirus\engine\16.2.0.7\ccSvcHst.exe [2009-2-24 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090320.048\NAVENG.SYS [2009-3-21 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090320.048\NAVEX15.SYS [2009-3-21 876144]
S1 6c31daa4;6c31daa4;c:\windows\system32\drivers\6c31daa4.sys --> c:\windows\system32\drivers\6c31daa4.sys [?]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\symantec\liveupdate\aluschedulersvc.exe" --> c:\programmi\symantec\liveupdate\ALUSchedulerSvc.exe [?]

=============== Created Last 30 ================

2009-03-07 14:58 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-03-01 19:14 <DIR> --d----- c:\programmi\file comuni\DVDVideoSoft
2009-03-01 19:14 <DIR> --d----- c:\programmi\DVDVideoSoft
2009-02-25 22:08 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys

==================== Find3M ====================

2009-03-07 14:42 408,776 a------- c:\windows\system32\perfh010.dat
2009-03-07 14:42 55,420 a------- c:\windows\system32\perfc010.dat
2009-02-18 23:42 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-18 23:42 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-18 23:42 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-18 23:42 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-11 00:43 58,776 a------- c:\docume~1\propri~1\datiap~1\GDIPFONTCACHEV1.DAT
2009-02-09 15:04 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-05 13:52 505,856 a------- c:\windows\system32\old120.tmp
2009-01-27 17:47 80,343 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-27 12:35 23,604 a------- c:\windows\system32\emptyregdb.dat
2009-01-05 23:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-05-12 09:59 103,776 a------- c:\documents and settings\proprietario\System_Restore.exe
2008-05-12 09:58 357,768 a------- c:\documents and settings\proprietario\SymXPep2.dll
2008-04-29 14:55 251,216 a------- c:\documents and settings\proprietario\IView.exe
2007-01-02 11:26 20,155,344 a------- c:\programmi\SkypeSetup.exe
2007-01-02 11:23 36,808,256 a------- c:\programmi\iTunesSetup.exe

============= FINISH: 13.09.05,54 ===============


Awaiting the instructions of the HJT team, with best wishes.

Francesco Brighenti

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 AM

Posted 03 April 2009 - 02:43 PM

Hi there,

Ad-Aware SE is not supported anymore. I recommend uninstalling it and getting Ad-Aware Anniversary Edition (AE) after we've done here :thumbup2:

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Francesco Brighenti

Francesco Brighenti
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 04 April 2009 - 04:54 PM

Dear Blade81,

I have followed your instructions and include here the following reports as per your you requirement:



1) C:\ComboFix.txt:


ComboFix 09-04-04.01 - Proprietario 2009-04-04 23.26.34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1040.18.735.449 [GMT 2:00]
Eseguito da: c:\documents and settings\Proprietario\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Proprietario\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\umaaokg.dat
c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\umaaokg.exe
c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\umaaokg_nav.dat
c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\umaaokg_navps.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2009-03-04 al 2009-04-04 )))))))))))))))))))))))))))))))))))
.

2009-03-26 08:24 . 2009-02-27 13:02 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-07 15:58 . 2009-03-07 15:58 <DIR> d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 20:25 --------- d-----w c:\documents and settings\Proprietario\Dati applicazioni\Lavasoft
2009-03-25 18:29 --------- d-----w c:\programmi\Symantec
2009-03-25 18:28 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-25 18:28 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 18:28 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-25 18:28 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-07 13:58 --------- d-----w c:\programmi\Google
2009-03-04 13:31 --------- d-----w c:\programmi\eMule
2009-03-01 18:15 --------- d-----w c:\programmi\File comuni\DVDVideoSoft
2009-03-01 18:14 --------- d-----w c:\programmi\DVDVideoSoft
2009-02-19 09:37 --------- d-----w c:\programmi\File comuni\Symantec Shared
2009-02-18 22:41 --------- d-----w c:\programmi\Windows Sidebar
2009-02-18 22:41 --------- d-----w c:\programmi\Norton AntiVirus
2009-02-18 22:41 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Norton
2009-02-18 22:40 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\NortonInstaller
2009-02-18 22:39 --------- d-----w c:\programmi\NortonInstaller
2009-02-10 23:43 58,776 ----a-w c:\documents and settings\Proprietario\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-02-10 23:21 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-02-10 20:50 --------- d-----w c:\programmi\Spybot - Search & Destroy
2009-02-09 14:04 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 20:27 --------- d-----w c:\documents and settings\Proprietario\Dati applicazioni\Skype
2009-02-08 11:28 --------- d-----w c:\programmi\iTunes
2009-02-08 11:28 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-08 11:27 --------- d-----w c:\programmi\iPod
2009-02-08 11:27 --------- d-----w c:\programmi\File comuni\Apple
2009-02-08 11:27 --------- d-----w c:\programmi\Bonjour
2009-02-08 11:26 --------- d-----w c:\programmi\QuickTime
2009-02-08 11:24 --------- d-----w c:\programmi\Apple Software Update
2009-02-05 12:52 505,856 ----a-w c:\windows\system32\old120.tmp
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-05-12 08:59 103,776 ----a-w c:\documents and settings\Proprietario\System_Restore.exe
2008-05-12 08:58 357,768 ----a-w c:\documents and settings\Proprietario\SymXPep2.dll
2008-04-29 13:55 251,216 ----a-w c:\documents and settings\Proprietario\IView.exe
2007-01-02 10:26 20,155,344 ----a-w c:\programmi\SkypeSetup.exe
2007-01-02 10:23 36,808,256 ----a-w c:\programmi\iTunesSetup.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"NVIEW"="nview.dll" [2002-10-01 c:\windows\system32\nview.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\programmi\Internet Explorer\iexplore.exe" [2008-04-14 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688]
"KYE_Showicon"="c:\programmi\USB Storage RW\shwicon.exe" [2002-10-25 69632]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Share-to-Web Namespace Daemon"="c:\programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PS2"="c:\windows\system32\ps2.exe" [2002-06-14 81920]
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"StorageGuard"="c:\programmi\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2002-10-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.exe.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-26 113664]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-18 2752512]
hp center.lnk - c:\programmi\hp center\137903\Program\BackWeb-137903.exe [2003-01-01 16384]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\eMule\\emule.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-03 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S1 6c31daa4;6c31daa4;c:\windows\system32\drivers\6c31daa4.sys --> c:\windows\system32\drivers\6c31daa4.sys [?]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\programmi\File comuni\Nero\Lib\NMBgMonitor.exe
HKCU-Run-irsee - c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe
HKLM-Run-Piolet - c:\programmi\Piolet\Piolet.exe
HKLM-Run-NBKeyScan - c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
SSODL-DlWJQlSeNRkc-{002B32E6-AA81-984C-E299-8CAC49AB9C45} - c:\windows\system32\jsut.dll


.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 23:29:08
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\programmi\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
Ora fine scansione: 2009-04-04 23.33.14
ComboFix-quarantined-files.txt 2009-04-04 21:31:59

Pre-Run: 37.130.772.480 byte disponibili
Post-Run: 37,303,771,136 byte disponibili

WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

160 --- E O F --- 2009-03-15 08:23:24









2) New dds.txt log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Proprietario at 23.41.48,81 on 04/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.735.294 [GMT 2:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Programmi\USB Storage RW\shwicon.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
svchost.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Proprietario\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\programmi\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmi\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programmi\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\programmi\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\programmi\spybot - search & destroy\TeaTimer.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programmi\file comuni\nero\lib\NMBgMonitor.exe"
uRun: [irsee] "c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe" irsee
uRunOnce: [<NO NAME>] c:\programmi\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000097.000001cd
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KYE_Showicon] "c:\programmi\usb storage rw\shwicon.exe" -t"kye\USB Storage RW"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [Share-to-Web Namespace Daemon] c:\programmi\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [SunJavaUpdateSched] "c:\programmi\java\jre1.6.0_07\bin\jusched.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\programmi\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [StorageGuard] "c:\programmi\veritas software\update manager\sgtray.exe" /r
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [Piolet] c:\programmi\piolet\Piolet.exe SILENT
mRun: [NBKeyScan] "c:\programmi\nero\nero8\nero backitup\NBKeyScan.exe"
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adobeg~1.lnk - c:\programmi\file comuni\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpcent~1.lnk - c:\programmi\hp center\137903\program\BackWeb-137903.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - c:\programmi\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114461336308
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - c:\programmi\file comuni\a&w\MidRadio.ocx
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programmi\file comuni\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: DlWJQlSeNRkc - {002B32E6-AA81-984C-E299-8CAC49AB9C45} - No File

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSXpx86.sys [2009-4-3 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090404.003\NAVENG.SYS [2009-4-4 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090404.003\NAVEX15.SYS [2009-4-4 876144]
S1 6c31daa4;6c31daa4;c:\windows\system32\drivers\6c31daa4.sys --> c:\windows\system32\drivers\6c31daa4.sys [?]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\symantec\liveupdate\aluschedulersvc.exe" --> c:\programmi\symantec\liveupdate\ALUSchedulerSvc.exe [?]

=============== Created Last 30 ================

2009-04-04 23:24 <DIR> a-dshr-- C:\cmdcons
2009-04-04 23:22 161,792 a------- c:\windows\SWREG.exe
2009-04-04 23:22 98,816 a------- c:\windows\sed.exe
2009-04-04 23:21 <DIR> --d----- C:\ComboFix
2009-03-26 08:24 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-07 15:58 <DIR> --d----- c:\windows\system32\IOSUBSYS

==================== Find3M ====================

2009-03-29 10:39 408,776 a------- c:\windows\system32\perfh010.dat
2009-03-29 10:39 55,420 a------- c:\windows\system32\perfc010.dat
2009-03-25 20:28 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-25 20:28 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 20:28 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-25 20:28 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-11 01:43 58,776 a------- c:\docume~1\propri~1\datiap~1\GDIPFONTCACHEV1.DAT
2009-02-09 16:04 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-05 14:52 505,856 a------- c:\windows\system32\old120.tmp
2009-01-27 18:47 80,343 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-27 13:35 23,604 a------- c:\windows\system32\emptyregdb.dat
2009-01-06 00:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-05-12 10:59 103,776 a------- c:\documents and settings\proprietario\System_Restore.exe
2008-05-12 10:58 357,768 a------- c:\documents and settings\proprietario\SymXPep2.dll
2008-04-29 15:55 251,216 a------- c:\documents and settings\proprietario\IView.exe
2007-01-02 12:26 20,155,344 a------- c:\programmi\SkypeSetup.exe
2007-01-02 12:23 36,808,256 a------- c:\programmi\iTunesSetup.exe

============= FINISH: 23.42.45,39 ===============



Awaiting your kind reply, with best wishes.

Francesco Brighenti
Venice, Italy

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 AM

Posted 05 April 2009 - 02:51 PM

Hi again Francesco


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Upload following file to http://www.virustotal.com if found and post back the results:
c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
6c31daa4

DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
SSODL: DlWJQlSeNRkc - {002B32E6-AA81-984C-E299-8CAC49AB9C45} - No File

File::
c:\windows\system32\drivers\6c31daa4.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Francesco Brighenti

Francesco Brighenti
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 06 April 2009 - 03:45 PM

Dear Blade81,

I have done most of things you instructed me to do -- that is, I have reinstalled Adobe Raeder using the latest version, I have updated Java, and I have run ATF Cleaner. There is only one thing I cannot do, viz.:

> Upload following file to http://www.virustotal.com if found and post back the results:
> c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe

No such file is found on my PC (I have also launched a file search on Windows, and the result was there is no file whose name includes "irsee.exe").

************

As for the rest, you wrote me:

> Show hidden files...

Can I now revert to the previous situation (i.e., CAN I HIDE THE FILES AGAIN?).

************

This is the new ComboFix log (resulting from dragging CFScript into ComboFix.exe):


ComboFix 09-04-04.01 - Proprietario 2009-04-06 0.05.23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1040.18.735.424 [GMT 2:00]
Eseguito da: c:\documents and settings\Proprietario\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Proprietario\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Creato nuovo punto di ripristino

FILE ::
c:\windows\system32\drivers\6c31daa4.sys
.

((((((((((((((((((((((((( Files Creati Da 2009-03-05 al 2009-04-05 )))))))))))))))))))))))))))))))))))
.

2009-03-26 08:24 . 2009-02-27 13:02 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-07 15:58 . 2009-03-07 15:58 <DIR> d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 20:25 --------- d-----w c:\documents and settings\Proprietario\Dati applicazioni\Lavasoft
2009-03-25 18:29 --------- d-----w c:\programmi\Symantec
2009-03-25 18:28 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-25 18:28 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 18:28 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-25 18:28 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-07 13:58 --------- d-----w c:\programmi\Google
2009-03-04 13:31 --------- d-----w c:\programmi\eMule
2009-03-01 18:15 --------- d-----w c:\programmi\File comuni\DVDVideoSoft
2009-03-01 18:14 --------- d-----w c:\programmi\DVDVideoSoft
2009-02-19 09:37 --------- d-----w c:\programmi\File comuni\Symantec Shared
2009-02-18 22:41 --------- d-----w c:\programmi\Windows Sidebar
2009-02-18 22:41 --------- d-----w c:\programmi\Norton AntiVirus
2009-02-18 22:41 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Norton
2009-02-18 22:40 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\NortonInstaller
2009-02-18 22:39 --------- d-----w c:\programmi\NortonInstaller
2009-02-10 23:43 58,776 ----a-w c:\documents and settings\Proprietario\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-02-10 23:21 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-02-10 20:50 --------- d-----w c:\programmi\Spybot - Search & Destroy
2009-02-09 14:04 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 20:27 --------- d-----w c:\documents and settings\Proprietario\Dati applicazioni\Skype
2009-02-08 11:28 --------- d-----w c:\programmi\iTunes
2009-02-08 11:28 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-08 11:27 --------- d-----w c:\programmi\iPod
2009-02-08 11:27 --------- d-----w c:\programmi\File comuni\Apple
2009-02-08 11:27 --------- d-----w c:\programmi\Bonjour
2009-02-08 11:26 --------- d-----w c:\programmi\QuickTime
2009-02-08 11:24 --------- d-----w c:\programmi\Apple Software Update
2009-02-05 12:52 505,856 ----a-w c:\windows\system32\old120.tmp
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-05-12 08:59 103,776 ----a-w c:\documents and settings\Proprietario\System_Restore.exe
2008-05-12 08:58 357,768 ----a-w c:\documents and settings\Proprietario\SymXPep2.dll
2008-04-29 13:55 251,216 ----a-w c:\documents and settings\Proprietario\IView.exe
2007-01-02 10:26 20,155,344 ----a-w c:\programmi\SkypeSetup.exe
2007-01-02 10:23 36,808,256 ----a-w c:\programmi\iTunesSetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-04_23.29.42,50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-05 21:41:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_168.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [BU]
"irsee"="c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe" [BU]
"NVIEW"="nview.dll" [2002-10-01 c:\windows\system32\nview.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\programmi\Internet Explorer\iexplore.exe" [2008-04-14 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688]
"KYE_Showicon"="c:\programmi\USB Storage RW\shwicon.exe" [2002-10-25 69632]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Share-to-Web Namespace Daemon"="c:\programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PS2"="c:\windows\system32\ps2.exe" [2002-06-14 81920]
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"StorageGuard"="c:\programmi\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"Piolet"="c:\programmi\Piolet\Piolet.exe" [BU]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2002-10-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.exe.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-26 113664]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-18 2752512]
hp center.lnk - c:\programmi\hp center\137903\Program\BackWeb-137903.exe [2003-01-01 16384]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\eMule\\emule.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-03 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 00:07:41
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\programmi\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
Ora fine scansione: 2009-04-06 0.11.54
ComboFix-quarantined-files.txt 2009-04-05 22:10:49
ComboFix2.txt 2009-04-05 21:52:51
ComboFix3.txt 2009-04-04 21:33:15

Pre-Run: 37.187.776.512 byte disponibili
Post-Run: 37,171,826,688 byte disponibili

143 --- E O F --- 2009-03-15 08:23:24



*****************



This is the Kaspersky Online Scanner report:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, April 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, April 06, 2009 11:58:52
Records in database: 2017642
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 81590
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:58:12


File name / Threat name / Threats count
C:\Documents and Settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\cache\6.0\53\34cea775-21125f38 Infected: Exploit.Java.ByteVerify 1
C:\Programmi\eMule\Uninstall.exe Infected: not-a-virus:AdWare.Win32.Agent.kee 1

The selected area was scanned.



********************



Finally, this is a fresh DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Proprietario at 22.40.26,60 on 06/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.735.482 [GMT 2:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Programmi\USB Storage RW\shwicon.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
svchost.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Documents and Settings\Proprietario\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\programmi\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmi\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programmi\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\programmi\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programmi\file comuni\nero\lib\NMBgMonitor.exe"
uRun: [irsee] "c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\irsee.exe" irsee
uRunOnce: [<NO NAME>] c:\programmi\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000097.000001cd
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KYE_Showicon] "c:\programmi\usb storage rw\shwicon.exe" -t"kye\USB Storage RW"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [Share-to-Web Namespace Daemon] c:\programmi\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [StorageGuard] "c:\programmi\veritas software\update manager\sgtray.exe" /r
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [Piolet] c:\programmi\piolet\Piolet.exe SILENT
mRun: [NBKeyScan] "c:\programmi\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\programmi\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adobeg~1.lnk - c:\programmi\file comuni\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpcent~1.lnk - c:\programmi\hp center\137903\program\BackWeb-137903.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - c:\programmi\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114461336308
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - c:\programmi\file comuni\a&w\MidRadio.ocx
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programmi\file comuni\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSXpx86.sys [2009-4-3 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.003\NAVENG.SYS [2009-4-6 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.003\NAVEX15.SYS [2009-4-6 876144]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\symantec\liveupdate\aluschedulersvc.exe" --> c:\programmi\symantec\liveupdate\ALUSchedulerSvc.exe [?]

=============== Created Last 30 ================

2009-04-06 00:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 00:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 23:24 <DIR> a-dshr-- C:\cmdcons
2009-04-04 23:22 161,792 a------- c:\windows\SWREG.exe
2009-04-04 23:22 98,816 a------- c:\windows\sed.exe
2009-03-26 08:24 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys

==================== Find3M ====================

2009-03-29 10:39 408,776 a------- c:\windows\system32\perfh010.dat
2009-03-29 10:39 55,420 a------- c:\windows\system32\perfc010.dat
2009-03-25 20:28 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-25 20:28 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 20:28 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-25 20:28 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-11 01:43 58,776 a------- c:\docume~1\propri~1\datiap~1\GDIPFONTCACHEV1.DAT
2009-02-09 16:04 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-05 14:52 505,856 a------- c:\windows\system32\old120.tmp
2009-01-27 18:47 80,343 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-27 13:35 23,604 a------- c:\windows\system32\emptyregdb.dat
2008-05-12 10:59 103,776 a------- c:\documents and settings\proprietario\System_Restore.exe
2008-05-12 10:58 357,768 a------- c:\documents and settings\proprietario\SymXPep2.dll
2008-04-29 15:55 251,216 a------- c:\documents and settings\proprietario\IView.exe
2007-01-02 12:26 20,155,344 a------- c:\programmi\SkypeSetup.exe
2007-01-02 12:23 36,808,256 a------- c:\programmi\iTunesSetup.exe

============= FINISH: 22.41.40,26 ===============



**************


Looking forward to your reply, with best wishes (and many thanks for the assistance you are lending me!).

Francesco

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 AM

Posted 06 April 2009 - 05:37 PM

No such file is found on my PC (I have also launched a file search on Windows, and the result was there is no file whose name includes "irsee.exe").

Ok. In that case we may remove startup entry related to that file :thumbup2:



Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\cache\6.0\53\34cea775-21125f38
C:\Programmi\eMule\Uninstall.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"irsee"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Francesco Brighenti

Francesco Brighenti
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 07 April 2009 - 05:06 PM

Hi Blade81,

You wrote me:

> Refering to the picture above, drag CFScript into ComboFix.exe. Then post the resultant log & a fresh dds.txt log. How's the system running?

The system has started running better since I ran the ComboFix tool for the first time some days ago, but is still not o.k. (very slow, and sometimes blocking on one or another Web page until I have to terminate the process using Task Manager).

Have you seen that Kaspersky online scan located two threats/infected objects on my PC? Are my problems perhaps caused by them?


*****************


This is the new ComboFix log you asked me:


ComboFix 09-04-04.01 - Proprietario 2009-04-07 23.36.22.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1040.18.735.426 [GMT 2:00]
Eseguito da: c:\documents and settings\Proprietario\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Proprietario\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Creato nuovo punto di ripristino

FILE ::
c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\cache\6.0\53\34cea775-21125f38
c:\programmi\eMule\Uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\cache\6.0\53\34cea775-21125f38
c:\programmi\eMule\Uninstall.exe

.
((((((((((((((((((((((((( Files Creati Da 2009-03-07 al 2009-04-07 )))))))))))))))))))))))))))))))))))
.

2009-04-06 00:47 . 2009-04-06 00:45 410,984 --a------ c:\windows\system32\deploytk.dll
2009-04-06 00:47 . 2009-04-06 00:45 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-26 08:24 . 2009-02-27 13:02 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-07 15:58 . 2009-03-07 15:58 <DIR> d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 21:36 --------- d-----w c:\programmi\eMule
2009-04-05 22:45 --------- d-----w c:\programmi\Java
2009-04-05 22:32 --------- d-----w c:\programmi\File comuni\Adobe
2009-04-04 20:25 --------- d-----w c:\documents and settings\Proprietario\Dati applicazioni\Lavasoft
2009-03-25 18:29 --------- d-----w c:\programmi\Symantec
2009-03-25 18:28 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-25 18:28 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 18:28 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-25 18:28 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-07 13:58 --------- d-----w c:\programmi\Google
2009-03-01 18:15 --------- d-----w c:\programmi\File comuni\DVDVideoSoft
2009-03-01 18:14 --------- d-----w c:\programmi\DVDVideoSoft
2009-02-19 09:37 --------- d-----w c:\programmi\File comuni\Symantec Shared
2009-02-18 22:41 --------- d-----w c:\programmi\Windows Sidebar
2009-02-18 22:41 --------- d-----w c:\programmi\Norton AntiVirus
2009-02-18 22:41 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Norton
2009-02-18 22:40 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\NortonInstaller
2009-02-18 22:39 --------- d-----w c:\programmi\NortonInstaller
2009-02-10 23:43 58,776 ----a-w c:\documents and settings\Proprietario\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-02-10 23:21 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-02-10 20:50 --------- d-----w c:\programmi\Spybot - Search & Destroy
2009-02-09 14:04 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 20:27 --------- d-----w c:\documents and settings\Proprietario\Dati applicazioni\Skype
2009-02-08 11:28 --------- d-----w c:\programmi\iTunes
2009-02-08 11:28 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-08 11:27 --------- d-----w c:\programmi\iPod
2009-02-08 11:27 --------- d-----w c:\programmi\File comuni\Apple
2009-02-08 11:27 --------- d-----w c:\programmi\Bonjour
2009-02-08 11:26 --------- d-----w c:\programmi\QuickTime
2009-02-08 11:24 --------- d-----w c:\programmi\Apple Software Update
2009-02-05 12:52 505,856 ----a-w c:\windows\system32\old120.tmp
2008-05-12 08:59 103,776 ----a-w c:\documents and settings\Proprietario\System_Restore.exe
2008-05-12 08:58 357,768 ----a-w c:\documents and settings\Proprietario\SymXPep2.dll
2008-04-29 13:55 251,216 ----a-w c:\documents and settings\Proprietario\IView.exe
2007-01-02 10:26 20,155,344 ----a-w c:\programmi\SkypeSetup.exe
2007-01-02 10:23 36,808,256 ----a-w c:\programmi\iTunesSetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-04_23.29.42,50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-02 16:07:40 1,914,440 ----a-w c:\windows\Downloaded Program Files\CONFLICT.2\FP_AX_CAB_INSTALLER.exe
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-06-09 23:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-04-05 22:45:57 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-09 23:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-04-05 22:45:57 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 00:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-04-05 22:45:58 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2009-01-28 13:38:55 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-04-06 15:13:21 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-04-07 20:59:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_190.dat
+ 2009-04-07 20:58:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f8.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [BU]
"NVIEW"="nview.dll" [2002-10-01 c:\windows\system32\nview.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\programmi\Internet Explorer\iexplore.exe" [2008-04-14 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688]
"KYE_Showicon"="c:\programmi\USB Storage RW\shwicon.exe" [2002-10-25 69632]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Share-to-Web Namespace Daemon"="c:\programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"PS2"="c:\windows\system32\ps2.exe" [2002-06-14 81920]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"StorageGuard"="c:\programmi\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"Piolet"="c:\programmi\Piolet\Piolet.exe" [BU]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-04-06 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2002-10-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.exe.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-26 113664]
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-18 2752512]
hp center.lnk - c:\programmi\hp center\137903\Program\BackWeb-137903.exe [2003-01-01 16384]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\eMule\\emule.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-03 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 23:41:16
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\programmi\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
Ora fine scansione: 2009-04-07 23.46.04
ComboFix-quarantined-files.txt 2009-04-07 21:44:46
ComboFix2.txt 2009-04-05 22:11:55
ComboFix3.txt 2009-04-05 21:52:51
ComboFix4.txt 2009-04-04 21:33:15

Pre-Run: 36.810.854.400 byte disponibili
Post-Run: 36,880,408,576 byte disponibili

161 --- E O F --- 2009-03-15 08:23:24

**************

And this is the new DDS log you asked me:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Proprietario at 23.53.35,45 on 07/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.735.382 [GMT 2:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Programmi\USB Storage RW\shwicon.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
svchost.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
C:\Programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dumprep.exe
C:\Programmi\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Proprietario\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://it.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\programmi\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programmi\file comuni\nero\lib\NMBgMonitor.exe"
uRunOnce: [<NO NAME>] c:\programmi\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000097.000001cd
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KYE_Showicon] "c:\programmi\usb storage rw\shwicon.exe" -t"kye\USB Storage RW"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [Share-to-Web Namespace Daemon] c:\programmi\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [StorageGuard] "c:\programmi\veritas software\update manager\sgtray.exe" /r
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [Piolet] c:\programmi\piolet\Piolet.exe SILENT
mRun: [NBKeyScan] "c:\programmi\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\programmi\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adobeg~1.lnk - c:\programmi\file comuni\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpcent~1.lnk - c:\programmi\hp center\137903\program\BackWeb-137903.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - c:\programmi\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSXpx86.sys [2009-4-3 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\programmi\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090407.003\NAVENG.SYS [2009-4-7 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\dati applicazioni\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090407.003\NAVEX15.SYS [2009-4-7 876144]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"c:\programmi\symantec\liveupdate\aluschedulersvc.exe" --> c:\programmi\symantec\liveupdate\ALUSchedulerSvc.exe [?]

=============== Created Last 30 ================

2009-04-06 00:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 00:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 23:24 <DIR> a-dshr-- C:\cmdcons
2009-04-04 23:22 161,792 a------- c:\windows\SWREG.exe
2009-04-04 23:22 98,816 a------- c:\windows\sed.exe
2009-03-26 08:24 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys

==================== Find3M ====================

2009-03-29 10:39 408,776 a------- c:\windows\system32\perfh010.dat
2009-03-29 10:39 55,420 a------- c:\windows\system32\perfc010.dat
2009-03-25 20:28 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-25 20:28 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 20:28 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-25 20:28 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-11 01:43 58,776 a------- c:\docume~1\propri~1\datiap~1\GDIPFONTCACHEV1.DAT
2009-02-09 16:04 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-05 14:52 505,856 a------- c:\windows\system32\old120.tmp
2009-01-27 18:47 80,343 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-27 13:35 23,604 a------- c:\windows\system32\emptyregdb.dat
2008-05-12 10:59 103,776 a------- c:\documents and settings\proprietario\System_Restore.exe
2008-05-12 10:58 357,768 a------- c:\documents and settings\proprietario\SymXPep2.dll
2008-04-29 15:55 251,216 a------- c:\documents and settings\proprietario\IView.exe
2007-01-02 12:26 20,155,344 a------- c:\programmi\SkypeSetup.exe
2007-01-02 12:23 36,808,256 a------- c:\programmi\iTunesSetup.exe

============= FINISH: 23.54.25,37 ===============



Awaiting your new instructions, with best regards.

Francesco

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 AM

Posted 08 April 2009 - 04:30 AM

Hi

P2P file sharing software fragments hard drive making reading and writing to it slower sooner or later. Have you defragged hard drive lately?

I would also upgrade Internet Explorer 6 to either IE 7 or 8. You'll find those here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Francesco Brighenti

Francesco Brighenti
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 09 April 2009 - 01:48 AM

Hi Blade81,

You wrote:

> P2P file sharing software fragments hard drive making reading and writing to it slower sooner or later. Have you defragged hard drive lately?

Yes, I have -- just a few weeks ago.

> I would also upgrade Internet Explorer 6 to either IE 7 or 8. You'll find those here.

I don't like IE 7 (and I don't know IE8). Is this upgrading really necessary?

Cheers,
Francesco

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 AM

Posted 09 April 2009 - 04:50 AM

Personally I wouldn't use IE 6 if I was made to choose between it and IE 7. Since IE 8 is now officially released I would recommend installing it. Safer than its two predecessors :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Francesco Brighenti

Francesco Brighenti
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 10 April 2009 - 08:52 AM

Dear Blade81,

OK, I'll see to download and instal IE8.

Is the process of malware hacking now completed? What about the two threates/infected objects detected by the Kaspersky Online Scanner, whose report have included in post #7? You have never commented on them so far.

The system is definitely running better than before we started, but at times is still slow or blocks the display of Web pages.

Another thing I never mentioned to you so far is that every time I shut down Windows, there pop up some small windows that hang on shutdown one after another and say (roughly translating from Italian) 'End Prog Autocomplete'. If I don't close them, the PC doesn't shut down. What is this?

Thanks for your valuable help, and best regards.

Francesco

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 AM

Posted 10 April 2009 - 10:45 AM

Is the process of malware hacking now completed?

Hi

Basically, it's almost completed. To uninstall ComboFix do following, please:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

What about the two threates/infected objects detected by the Kaspersky Online Scanner, whose report have included in post #7? You have never commented on them so far.

Both were deleted along the process. Since those weren't so critical findings I didn't see any special reason to comment on those. :thumbup2:

Another thing I never mentioned to you so far is that every time I shut down Windows, there pop up some small windows that hang on shutdown one after another and say (roughly translating from Italian) 'End Prog Autocomplete'. If I don't close them, the PC doesn't shut down. What is this?

That means ending of some process hangs of some reason. I've read somewhere that Norton may cause this. Reinstalling it might help.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Francesco Brighenti

Francesco Brighenti
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 12 April 2009 - 12:47 PM

Dear Blade81,

I've installed IE8. It looks fine!

I've also uninstalled ComboFix and dds.com. What about ATF Cleaner? Can it be useful to me in the future?

Thanks for your precious assistance.

Happy Easter,
Francesco




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users