Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ATRAPS.GEN2 help.... thanks...


  • This topic is locked This topic is locked
23 replies to this topic

#1 walkingcat

walkingcat

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 06 November 2009 - 05:22 PM

Referred from this topic: http://www.bleepingcomputer.com/forums/t/268775/can-someone-help-me-or-should-i-format/ ~ OB

Dear all,
I'm a new member. I'm really in trouble with a virus nd I hope you can help me...
I'm using AVIRA antivirus and at windows' startup I receive tons of atrapsgen2 virus alerts related mostly to windows/system32/c_646217.nls file . They are popping up continuosly. What should I do? My OS is Windows XP SP2.
Also do you have any idea how can I permanently stop AVIRA? rightclicking on icon it works but when the system restarts AVIRA is running again and I get all the popup virus alerts.
I have been redirected to this forum by one administrator. I really appreciate your support because I cannot solve this problem...

Attach.txt attached :(

DDS (Ver_09-10-26.01) - NTFSx86
Run by Fiorenzo at 23.19.07,44 on 06/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.2047.1055 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
svchost.exe
C:\Programmi\ASUS\Mobile Theater\Kernel\TV\CLCapSvc.exe
C:\Programmi\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Programmi\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLServer.exe
C:\Programmi\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\RemoteControlService.exe
C:\Programmi\Java\jre6\bin\jqs.exe
c:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\ASUS\Mobile Theater\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Programmi\ASUS\ATK Media\DMEDIA.EXE
C:\Programmi\Wireless Console 2\wcourier.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\ASUS\Splendid\ACMON.exe
C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
C:\Programmi\ASUS\PowerForPhone\PowerForPhone.exe
C:\Programmi\Atheros\ACU.exe
C:\Programmi\ASUS\Mobile Theater\PCMService.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclToBTSrv.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Fiorenzo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programmi\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Guida per l'accesso a Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [LogitechSoftwareUpdate] c:\programmi\logitech\video\ManifestEngine.exe boot
uRun: [PC Suite Tray] "c:\programmi\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [Collegamento alla pagina delle proprietÓ di High Definition Audio] HDAShCut.exe
mRun: [ATKMEDIA] c:\programmi\asus\atk media\DMEDIA.EXE
mRun: [Wireless Console 2] c:\programmi\wireless console 2\wcourier.exe
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [ACMON] c:\programmi\asus\splendid\ACMON.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Power_Gear] c:\programmi\asus\power4 gear\BatteryLife.exe 1
mRun: [PowerForPhone] c:\programmi\asus\powerforphone\PowerForPhone.exe
mRun: [ACU] c:\programmi\atheros\ACU.exe -nogui
mRun: [PCMService] "c:\programmi\asus\mobile theater\PCMService.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\programmi\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\programmi\logitech\video\LogiTray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [IntelliPoint] "c:\programmi\microsoft intellipoint\ipoint.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min/nosplash
mRun: [SideWinderTrayV4] c:\progra~1\mi948f~1\gameco~1\common\SWTrayV4.exe
mRun: [QuickTime Task] "c:\programmi\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programmi\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\programmi\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adober~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programmi\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programmi\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://gate.rina.org/SNX/CSHELL/extender.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {61E3FE32-07B9-4563-A3E0-2DE2D620FE10} - c:\programmi\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fiorenzo\datiap~1\mozilla\firefox\profiles\gtc0lpan.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/webhp?hl=it&btnG=Cerca+con+Google
FF - plugin: c:\programmi\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-7-31 20616]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\avira\antivir desktop\sched.exe [2009-5-9 108289]
R2 cpextender;Check Point SSL Network Extender;c:\programmi\checkpoint\ssl network extender\slimsvc.exe [2006-9-12 307295]
R2 ITECIRService;ITE Remote Control Service;c:\windows\system32\RemoteControlService.exe [2006-10-26 656384]
R2 Network WanMiniport First Position;Network WanMiniport First Position;c:\programmi\telecom italia\wanminiport1st\srvany.exe [2002-4-1 8192]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\atk0100\ASNDIS5.sys [2004-5-27 16269]
R3 AVerM115S;AVerM115S service;c:\windows\system32\drivers\AVerM115S.sys [2006-8-3 856832]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [2008-11-20 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [2008-11-20 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [2008-11-20 9024]
R3 ITECIR;ITE CIR Driver;c:\windows\system32\drivers\ITECIR.sys [2006-10-26 7366]
R3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
R3 SWUSBFLT;Driver filtro Microsoft SideWinder VIA;c:\windows\system32\drivers\SWUSBFLT.SYS [2009-5-18 3968]
R3 SynMini;USB2.0 1.3M Web Cam;c:\windows\system32\drivers\SynMini.sys [2006-10-26 720470]
R3 SynScan;USB2.0 1.3M Web Cam Still Image;c:\windows\system32\drivers\SynScan.sys [2006-10-26 8278]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2006-9-12 109008]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\drivers\tpcdrdrv.sys --> c:\windows\system32\drivers\tpcdrdrv.sys [?]
S3 DbusAudio;DbusAudio;c:\windows\system32\drivers\DbusAudio.sys [2009-9-26 23096]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-9-26 23096]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-6-25 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-6-25 8320]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2009-11-5 34816]
S3 SE2Fbus;Sony Ericsson Device 047 Driver driver (WDM);c:\windows\system32\drivers\SE2Fbus.sys [2007-1-13 61600]
S3 SE2Fmdfl;Sony Ericsson Device 047 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Fmdfl.sys [2007-1-13 9360]
S3 SE2Fmdm;Sony Ericsson Device 047 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Fmdm.sys [2007-1-13 97184]
S3 SE2Fmgmt;Sony Ericsson Device 047 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Fmgmt.sys [2007-1-13 88688]
S3 se2Fnd5;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (NDIS);c:\windows\system32\drivers\se2Fnd5.sys [2007-1-13 18704]
S3 SE2Fobex;Sony Ericsson Device 047 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Fobex.sys [2007-1-13 86560]
S3 se2Funic;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (WDM);c:\windows\system32\drivers\se2Funic.sys [2007-1-13 90800]
S3 tatertot.scr;tatertot.scr;\??\c:\windows\system32\drivers\tatertot.scr.sys --> c:\windows\system32\drivers\tatertot.scr.sys [?]
S3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2006-12-23 538925]

=============== Created Last 30 ================

2009-11-05 19:32:45 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-11-03 23:17:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-03 22:29:12 0 d-s---w- C:\Combo-Fix15470C
2009-11-01 22:21:56 0 d-----w- c:\programmi\file comuni\PC Tools
2009-11-01 15:15:36 0 d-----w- c:\docume~1\fiorenzo\datiap~1\Malwarebytes
2009-11-01 15:15:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 15:15:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 15:15:30 0 d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-11-01 15:15:30 0 d-----w- c:\docume~1\alluse~1\datiap~1\Malwarebytes
2009-11-01 14:44:33 0 d-----w- C:\Combo-Fix28788C
2009-11-01 14:13:18 0 d-sha-r- C:\cmdcons
2009-11-01 14:11:59 98816 ----a-w- c:\windows\sed.exe
2009-11-01 14:11:59 77312 ----a-w- c:\windows\MBR.exe
2009-11-01 14:11:59 236544 ----a-w- c:\windows\PEV.exe
2009-11-01 14:11:59 161792 ----a-w- c:\windows\SWREG.exe
2009-11-01 14:11:48 0 d-----w- C:\Combo-Fix
2009-11-01 12:03:51 37496 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-01 12:03:51 2756 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-01 12:03:51 2485536 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-01 12:03:51 18208 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-01 12:03:42 2539 ----a-w- C:\rollback.ini
2009-11-01 11:37:30 0 d-----w- c:\programmi\file comuni\ParetoLogic
2009-11-01 11:37:30 0 d-----w- c:\docume~1\alluse~1\datiap~1\ParetoLogic
2009-10-30 20:22:21 0 d-----w- c:\programmi\AaaaaAAaaaAAAaaAAAAaAAAAA!!! - A Reckless Disregard for Gravity - The Demo
2009-10-13 21:26:15 0 d-----w- c:\programmi\Lame for Audacity
2009-10-13 20:29:20 0 d-----w- c:\programmi\Audacity 1.3 Beta (Unicode)
2009-10-13 19:55:39 0 d-----w- c:\programmi\Toshiba
2009-10-12 19:05:54 0 d-----w- c:\docume~1\fiorenzo\datiap~1\Blitware
2009-10-10 17:54:27 32 ----a-w- c:\windows\0
2009-10-10 17:54:27 0 ----a-w- c:\windows\system32\0
2009-10-10 16:34:55 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-10 16:33:08 0 d-----r- c:\programmi\Skype

==================== Find3M ====================

2009-11-01 14:12:46 79712 ----a-w- c:\windows\system32\perfc010.dat
2009-11-01 14:12:46 479418 ----a-w- c:\windows\system32\perfh010.dat
2009-10-22 09:16:23 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 03:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-26 13:47:38 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-09-17 05:00:16 23096 ----a-w- c:\windows\system32\drivers\DrmRAudio.sys
2009-09-17 04:56:46 23096 ----a-w- c:\windows\system32\drivers\DbusAudio.sys
2009-09-11 14:17:34 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:17:34 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:04 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:04 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:37:12 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:31 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:31 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2008-11-16 11:03:09 32768 --sha-w- c:\windows\system32\config\systemprofile\impostazioni locali\cronologia\history.ie5\mshist012008111620081117\index.dat

============= FINISH: 23.19.35,56 ===============



Rootrepeal is not working (neither renaming it) it say "could not load the driever"
I tried also to run it in safe mode and another error appears "exception address:0x004eca19"



HERE AFTER THE HISTORY OF MY POST. AT THE END YOU CAN READ THAT GARMANMA SUGGEST ME TO POST HERE




Malwarebytes' Anti-Malware 1.41
Versione del database: 3077
Windows 5.1.2600 Service Pack 3

01/11/2009 17.36.17
mbam-log-2009-11-01 (17-36-17).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 369399
Tempo trascorso: 1 hour(s), 18 minute(s), 36 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 3
Valori di registro infetti: 1
Elementi dato del registro infetti: 0
Cartelle infette: 1
File infetti: 4

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\.pox (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pofile (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Miracle (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adsltaskbar (Trojan.Agent) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
C:\Documents and Settings\All Users\Menu Avvio\Programmi\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.

File infetti:
C:\Documents and Settings\All Users\Menu Avvio\Programmi\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Avvio\Programmi\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Avvio\Programmi\RelevantKnowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Avvio\Programmi\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.



LOG from CMD

---------------------

Il volume nell'unitÓ C non ha etichetta.
Numero di serie del volume: E4E4-8B9A

Directory di C:\WINDOWS\$NtServicePackUninstall$

19/08/2004 14.00 186.880 scecli.dll

Directory di C:\WINDOWS\$NtServicePackUninstall$

19/08/2004 14.00 407.040 netlogon.dll

Directory di C:\WINDOWS\$NtServicePackUninstall$

19/08/2004 14.00 55.808 eventlog.dll
3 File 649.728 byte

Directory di C:\WINDOWS\ERDNT\cache

14/04/2008 03.13 187.904 scecli.dll

Directory di C:\WINDOWS\ERDNT\cache

14/04/2008 03.13 407.040 netlogon.dll

Directory di C:\WINDOWS\ERDNT\cache

14/04/2008 03.13 56.320 eventlog.dll
3 File 651.264 byte

Directory di C:\WINDOWS\ServicePackFiles\i386

14/04/2008 03.13 187.904 scecli.dll

Directory di C:\WINDOWS\ServicePackFiles\i386

14/04/2008 03.13 407.040 netlogon.dll

Directory di C:\WINDOWS\ServicePackFiles\i386

14/04/2008 03.13 56.320 eventlog.dll
3 File 651.264 byte

Directory di C:\WINDOWS\system32

14/04/2008 03.13 187.904 scecli.dll

Directory di C:\WINDOWS\system32

14/04/2008 03.13 407.040 netlogon.dll

Directory di C:\WINDOWS\system32

14/04/2008 03.13 56.320 eventlog.dll
3 File 651.264 byte

Totale file elencati:
12 File 2.603.520 byte
0 Directory 36.284.979.200 byte disponibili
---------------------------------------------------

LOG from Win32kDiag.exe

--------------------------------------------
Running from: C:\Documents and Settings\Fiorenzo\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Fiorenzo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!
----------------------------------------------

Attached Files


Edited by Orange Blossom, 06 November 2009 - 07:17 PM.
Removed unnecessary quoting from posts and additional side and sig. content. ~ OB


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 AM

Posted 10 November 2009 - 08:00 PM

Hello

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 walkingcat

walkingcat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 11 November 2009 - 05:15 PM

:(
great finally someone can help me! The situation is exactly the same... you can read the post above to check also some logs...
attached the new logs you asked
Thanks a lot for your time!

Attached Files

  • Attached File  log.txt   40.37KB   10 downloads
  • Attached File  info.txt   31.84KB   14 downloads


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 AM

Posted 12 November 2009 - 07:27 PM

Hi walkingcat,

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.




Your logs show that you have been running Combofix.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt from the run you have already done, if you do not have it leave it out, do not run it again.


Please post back here with the following logs:
  • Gmer log
  • Combofix.txt
Thanks

unite.jpg


#5 walkingcat

walkingcat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 13 November 2009 - 02:27 PM

Sorry for using combofix without your supervision. I read the disclamer too late. Anyway here attached the LOGS.
thanks....

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 AM

Posted 13 November 2009 - 06:34 PM

First delete the copy of combofix you have and download a new copy.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\c_646217.nls
c:\windows\system32\c_646237.nls
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=-
"midi1"=-
"mixer2"=-
"midi2"=-
"aux1"=-
"aux2"=-
"wave1"=-
"mixer1"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please post back here with the following logs:
  • Combofix.txt
  • MBAM log
Thanks

unite.jpg


#7 walkingcat

walkingcat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 16 November 2009 - 03:30 PM

Hi Syler! I followed your instructions and this is what came out:

1) combofix is producing a bug.txt file that you can find attached
2) mbam doesn't find any maleware. log attached

Thanks

P.S. I just realized that the process CF11096.cfxxe remained open for hours after I launched combofix. When I wanted to shut off the system, a warning message came out saying that I had to abort that process.

Attached Files


Edited by walkingcat, 16 November 2009 - 06:17 PM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 AM

Posted 16 November 2009 - 09:48 PM

Ok, please delete the copy of combofix you have and download a new copy, then run combofix without the cfscript and post back with combofix.txt.

unite.jpg


#9 walkingcat

walkingcat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 17 November 2009 - 06:21 PM

:(
It seems there is the same problem even if I run the new downloaded combofix without using the script. I run it, it starts and nothing happen. Just a process cf28643.cfxxe it remains running but actually not working...
what a terrible virus I got!!!! I really hope you can do something...

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 AM

Posted 17 November 2009 - 11:19 PM

Let's try this then, first delete the copy of combofix you have, again. Then follow these instructions to rename it before you download it, then run it again without the script.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------
  • Double click on Syler.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .

unite.jpg


#11 walkingcat

walkingcat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 18 November 2009 - 05:12 PM

no change...
It seems that since I run it with the script it doesn't work anymore.
:(

Edited by walkingcat, 18 November 2009 - 05:13 PM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 AM

Posted 20 November 2009 - 04:30 AM

Can you tell me what happens when you run combofix? at what point does it stop working?

unite.jpg


#13 walkingcat

walkingcat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 20 November 2009 - 11:54 AM

As I wrote it seems that it stopped working since when I run the script for the first time. Now, even if I download a new version and I run it without any script, after the first popup saying something like " use this program should be used only for private purpose and by experienced people...", nothing happens: the usaul blue dos screen doesn't appear and the process goes on running in the background ( I can see it in the process list ). It never stops till I shut down the laptop and it seems it is freezed since it doesn't suck any cpu resources. I noticed that in the bug.txt file I sent to you (that was produced when I was running the script) it is written that a kind of antivirus guard is running together with combofix and that is dangerous , but actually as far as I know I don't have any antivirus guard active since I deactivate AVIRA at each startup because otherwise millions of atrapsgen2 virus popups fill my monitor...

I hope this can help...

Edited by walkingcat, 21 November 2009 - 06:14 AM.


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 AM

Posted 21 November 2009 - 05:58 PM

If Combofix didn't run when you ran the script, then that can not have caused it to stop working, try running it in safemode see if that makes a difference, if not we
will use another tool.

unite.jpg


#15 walkingcat

walkingcat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 22 November 2009 - 07:59 AM

Syler!!!!! It worked in safe mode!!!! And it seems that it cleaned my system because now no virus is detected at startup!!
I attach the log. If you think is necessary I think now I can run combofix in safemode with the SCRIPT. Let me know...
Thank to you I see the light at the and of the tunnel :(

Attached Files

  • Attached File  log.txt   20.92KB   17 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users