Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware: windows and internet stuck


  • This topic is locked This topic is locked
9 replies to this topic

#1 marilla

marilla

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 20 April 2010 - 11:58 AM

Dear Bleeping Staff,
a month ago my laptop was infected by AVE.exe but following your standard guide the problem was solved (many many thanks for that). Now Malwarebytes and Avira Antivirus are currently running. Just a couple of days ago, I had another infection, this time was the Symantec Rogue. Using other free antivirus and and checking the step 2 of your guide didn't solve the problem. Avira found TR/Rootkit.gen and Spydoctor found Adware.IEPluging. Now Windows and Internet explorer are so slow that the only way to follow the procedure indicated by you (DDS and GMer) is on a Safe Mode. Specifically on the Safe Mode Internet Explorer (and windows programs also) are running without any problem..... I don't really know what to do now! Please I need your help. Thanks in advance. Angela

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by ameloni at 15.52.02,20 on 20/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1527.1251 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ameloni\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\programmi\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\programmi\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - BrowserHelper Class
BHO: Guida per l'accesso a Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\programmi\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\programmi\spyware doctor\bdt\PCTBrowserDefender.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\programmi\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\programmi\skype\phone\Skype.exe" /nosplash /minimized
uRun: [PC Suite Tray] "c:\programmi\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [Apoint] c:\programmi\apoint\Apoint.exe
mRun: [IntelWireless] c:\programmi\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\programmi\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [DVDLauncher] "c:\programmi\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\programmi\file comuni\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\programmi\file comuni\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\programmi\file comuni\java\java update\jusched.exe"
mRun: [HP Software Update] c:\programmi\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min
mRun: [ISTray] "c:\programmi\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\ameloni\menu avvio\programmi\esecuzione automatica\monxga32.exe
StartupFolder: c:\docume~1\ameloni\menuav~1\progra~1\esecuz~1\utilit~1.lnk - c:\programmi\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\digita~1.lnk - c:\programmi\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hp digital imaging monitor.lnk - c:\programmi\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\programmi\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\programmi\file comuni\pc tools\lsp\PCTLsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.it/s/v/56.20/uploader2.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://mail.millhillgroup.com/ConnectComputer/nshelp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183388377087
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183388343849
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} - hxxp://selfcare.tiscali.it/scripts/oneclick/ConnessioneTiscali.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\programmi\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-20 217032]
S1 avgio;avgio;c:\programmi\avira\antivir desktop\avgio.sys [2010-3-18 11608]
S1 SAVRT;SAVRT;c:\programmi\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\programmi\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S2 a2free;a-squared Free Service;c:\programmi\a-squared free\a2service.exe [2010-4-20 1872320]
S2 AntiVirScheduler;Avira AntiVir Scheduler;c:\programmi\avira\antivir desktop\sched.exe [2010-3-18 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\programmi\avira\antivir desktop\avguard.exe [2010-3-18 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-18 56816]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\programmi\spyware doctor\bdt\BDTUpdateService.exe [2010-4-20 112592]
S2 ccEvtMgr;Symantec Event Manager;c:\programmi\file comuni\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [2006-5-5 258048]
S2 ccSetMgr;Symantec Settings Manager;c:\programmi\file comuni\symantec shared\ccSetMgr.exe [2006-7-19 169632]
S2 SavRoam;SAVRoam;c:\programmi\symantec antivirus\SavRoam.exe [2006-11-27 119392]
S2 sdAuxService;PC Tools Auxiliary Service;c:\programmi\spyware doctor\pctsAuxs.exe [2010-4-20 366840]
S2 sdCoreService;PC Tools Security Service;c:\programmi\spyware doctor\pctsSvc.exe [2010-4-20 1142224]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\programmi\symantec antivirus\Rtvscan.exe [2006-11-27 1836640]
S3 cmusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2051;c:\windows\system32\drivers\cmusbser.sys [2008-12-26 103552]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-8 102448]
S3 MA8630C;MA8630C;c:\windows\system32\drivers\MA8630C.sys [2006-8-9 23248]
S3 MA8630M;MA8630M;c:\windows\system32\drivers\MA8630M.sys [2006-8-9 25428]
S3 MA8630U;MA8630U;c:\windows\system32\drivers\MA8630U.sys [2006-8-9 50769]
S3 NAVENG;NAVENG;c:\progra~1\fileco~1\symant~1\virusd~1\20090203.003\naveng.sys [2009-2-4 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\fileco~1\symant~1\virusd~1\20090203.003\navex15.sys [2009-2-4 876112]

=============== Created Last 30 ================

2010-04-20 12:31:46 1409 ----a-w- c:\windows\QTFont.for
2010-04-20 12:31:43 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-20 09:13:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 08:39:36 0 d-----w- c:\programmi\a-squared Free
2010-04-20 08:12:45 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-20 08:12:45 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-20 08:12:45 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-20 08:12:45 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-20 08:12:45 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-20 08:12:45 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-20 08:12:45 131 ----a-w- c:\windows\IDB.zip
2010-04-20 08:12:45 1152444 ----a-w- c:\windows\UDB.zip
2010-04-20 08:10:54 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-20 08:10:54 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-20 08:10:50 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-20 08:10:50 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-20 08:10:50 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-20 08:10:50 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-20 08:10:46 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-20 08:10:46 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-20 08:10:38 0 d-----w- c:\programmi\Spyware Doctor
2010-04-20 08:10:38 0 d-----w- c:\programmi\file comuni\PC Tools
2010-04-20 08:10:38 0 d-----w- c:\docume~1\ameloni\datiap~1\PC Tools
2010-04-20 08:10:38 0 d-----w- c:\docume~1\alluse~1\datiap~1\PC Tools
2010-04-19 21:57:47 0 ----a-w- c:\documents and settings\ameloni\defogger_reenable
2010-04-19 18:29:48 0 d-sh--w- c:\documents and settings\ameloni\IECompatCache
2010-04-14 09:19:45 0 d-----w- c:\docume~1\ameloni\datiap~1\M24_AFC
2010-04-14 09:06:02 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-14 09:06:02 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-14 08:33:24 118 ----a-w- c:\windows\system32\MRT.INI
2010-03-23 07:55:19 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-22 19:40:48 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-03-22 19:40:48 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-03-22 19:40:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-03-22 19:40:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-03-22 19:40:18 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-03-22 19:33:18 0 d-----w- c:\programmi\file comuni\PCSuite
2010-03-22 19:33:05 0 d-----w- c:\programmi\file comuni\Nokia
2010-03-22 19:32:49 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-22 19:32:36 0 d-----w- c:\programmi\PC Connectivity Solution
2010-03-22 19:32:25 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-03-22 19:32:24 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-03-22 19:32:23 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-03-22 19:32:22 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-03-22 19:32:22 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-03-22 19:32:22 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-03-22 19:31:58 0 d-----w- c:\programmi\Nokia
2010-03-22 19:19:02 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

==================== Find3M ====================

2010-04-20 11:28:08 430148 ----a-w- c:\windows\system32\perfh010.dat
2010-04-20 11:28:07 65292 ----a-w- c:\windows\system32\perfc010.dat
2010-03-29 22:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:53 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:53 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 02:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 09:46:30 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:56:02 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 12:05:08 2193664 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 12:05:08 2193664 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 19:05:06 2070528 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 19:05:06 2070528 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 19:05:03 2149888 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 19:05:02 2028032 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-13 18:59:47 204505 ----a-w- c:\windows\hpoins46.dat
2010-02-12 04:33:08 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:08 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2008-10-22 08:25:11 32768 --sha-w- c:\windows\system32\config\systemprofile\impostazioni locali\cronologia\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 15.52.52,87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 marilla

marilla
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 20 April 2010 - 04:57 PM

Following to the topic below indicated, I've tried to update Malwarebyte in Safe Mode (in normal mode wasn't possible) and it worked. The program has deleted the monxga32.exe and now also the normal mode seems to be ok (internet expl is working).
Now my question are: was it the only problem? Are there any other hidden or sleepy trojan agents?
Thanks again.
Angela

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:19 PM

Posted 25 April 2010 - 02:32 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 marilla

marilla
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 27 April 2010 - 01:13 PM

Hi Blade!
Thanks a lot for your reply!!! I was a bit desperate busy.gif since this is the only pc I can use in these days and I really need it! sad.gif
In the last days I was fighting with this weird virus with the following steps: working on Safe Mode, dayly updating Malwarebytes and Avira; running them with a full scan more than once every day; killing the monxga32 and else; working again on Normal Mode. After killing the virus, it was back in a couple of times. Then I follow also the steps I found on this link (http://ethadev.blogspot.com/2010/04/delete-monxga32exe-from-your-pc.html).

I'm a bit worried that HE's still somewhere, ready to come back!!! As a matter of fact, I noticed that the CPU often has peak values of around 100% and the pc become slow....
Hope to be clear for you....my technical english on this matter is not very good! Sorry in advance for that.

Thanks for your precious help!
Angela


DDS (Ver_10-03-17.01) - NTFSx86
Run by ameloni at 19.56.32,67 on 27/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1527.699 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Programmi\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Apoint\Apoint.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Dell\QuickSet\quickset.exe
C:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\Apoint\HidFind.exe
C:\Programmi\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Programmi\Digital Line Detect\DLG.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqbam08.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\ameloni\Desktop\dds0.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.ilsole24ore.com/
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\programmi\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - BrowserHelper Class
BHO: Guida per l'accesso a Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\programmi\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\programmi\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\programmi\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [PC Suite Tray] "c:\programmi\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [Apoint] c:\programmi\apoint\Apoint.exe
mRun: [IntelWireless] c:\programmi\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\programmi\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [DVDLauncher] "c:\programmi\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\programmi\file comuni\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\programmi\file comuni\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\programmi\file comuni\java\java update\jusched.exe"
mRun: [HP Software Update] c:\programmi\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\ameloni\menuav~1\progra~1\esecuz~1\utilit~1.lnk - c:\programmi\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\digita~1.lnk - c:\programmi\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hp digital imaging monitor.lnk - c:\programmi\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\programmi\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.it/s/v/56.20/uploader2.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://mail.millhillgroup.com/ConnectComputer/nshelp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183388377087
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183388343849
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} - hxxp://selfcare.tiscali.it/scripts/oneclick/ConnessioneTiscali.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\programmi\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programmi\avira\antivir desktop\avgio.sys [2010-4-26 11608]
R1 SAVRT;SAVRT;c:\programmi\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\programmi\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 a2free;a-squared Free Service;c:\programmi\a-squared free\a2service.exe [2010-4-20 1872320]
R2 AntiVirScheduler;Avira AntiVir Scheduler;c:\programmi\avira\antivir desktop\sched.exe [2010-4-26 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programmi\avira\antivir desktop\avguard.exe [2010-4-26 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-18 56816]
R2 ccEvtMgr;Symantec Event Manager;c:\programmi\file comuni\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [2006-5-5 258048]
R2 ccSetMgr;Symantec Settings Manager;c:\programmi\file comuni\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 SavRoam;SAVRoam;c:\programmi\symantec antivirus\SavRoam.exe [2006-11-27 119392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\programmi\symantec antivirus\Rtvscan.exe [2006-11-27 1836640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-8 102448]
R3 NAVENG;NAVENG;c:\progra~1\fileco~1\symant~1\virusd~1\20090203.003\naveng.sys [2009-2-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\fileco~1\symant~1\virusd~1\20090203.003\navex15.sys [2009-2-4 876112]
S3 cmusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2051;c:\windows\system32\drivers\cmusbser.sys [2008-12-26 103552]
S3 MA8630C;MA8630C;c:\windows\system32\drivers\MA8630C.sys [2006-8-9 23248]
S3 MA8630M;MA8630M;c:\windows\system32\drivers\MA8630M.sys [2006-8-9 25428]
S3 MA8630U;MA8630U;c:\windows\system32\drivers\MA8630U.sys [2006-8-9 50769]

=============== Created Last 30 ================

2010-04-25 22:46:55 0 d-----w- c:\programmi\Avira
2010-04-25 22:46:55 0 d-----w- c:\docume~1\alluse~1\datiap~1\Avira
2010-04-25 10:12:50 0 d-----w- c:\docume~1\ameloni\datiap~1\FreeFixer
2010-04-25 10:12:42 0 d-----w- c:\programmi\FreeFixer
2010-04-24 14:39:37 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-24 14:39:36 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-24 10:46:09 0 d-----w- c:\docume~1\alluse~1\datiap~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-24 10:21:57 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-24 10:21:56 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-24 10:20:45 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-24 10:20:45 1409 ----a-w- c:\windows\QTFont.for
2010-04-20 09:13:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 08:39:36 0 d-----w- c:\programmi\a-squared Free
2010-04-20 08:10:38 0 d-----w- c:\programmi\Spyware Doctor
2010-04-19 21:57:47 0 ----a-w- c:\documents and settings\ameloni\defogger_reenable
2010-04-19 18:29:48 0 d-sh--w- c:\documents and settings\ameloni\IECompatCache
2010-04-14 09:19:45 0 d-----w- c:\docume~1\ameloni\datiap~1\M24_AFC
2010-04-14 09:06:02 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-14 09:06:02 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-14 08:33:24 118 ----a-w- c:\windows\system32\MRT.INI

==================== Find3M ====================

2010-04-25 09:47:59 65292 ----a-w- c:\windows\system32\perfc010.dat
2010-04-25 09:47:59 430148 ----a-w- c:\windows\system32\perfh010.dat
2010-03-29 22:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 19:40:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-03-22 19:40:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-03-22 19:19:02 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-03-10 06:15:53 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:53 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 02:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 09:46:30 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:56:02 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 12:05:08 2193664 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 12:05:08 2193664 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 19:05:06 2070528 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 19:05:06 2070528 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 19:05:03 2149888 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 19:05:02 2028032 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-13 18:59:47 204505 ----a-w- c:\windows\hpoins46.dat
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33:08 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:08 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2008-10-22 08:25:11 32768 --sha-w- c:\windows\system32\config\systemprofile\impostazioni locali\cronologia\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 19.57.07,95 ===============






#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:19 PM

Posted 29 April 2010 - 12:58 AM

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 marilla

marilla
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 30 April 2010 - 03:58 AM

Dear Blade,
following your instructions I've done:
- I've saved on the Desktop with the name renamed.exe the Combofix program;
- I've temporarely disabled Avira and Symantec;
- I've run Combofix;
- Installed MW Recovery Console;
- Saved the Combofix Log
- and finally enabled Avira and Symantec.

Please find in attachment the Combofix Log.

Hope to have done everything properly.... busy.gif
Thanks again for your help!
Marilla

ComboFix 10-04-29.05 - ameloni 30/04/2010 10.35.41.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1527.842 [GMT 2:00]

Eseguito da: c:\documents and settings\ameloni\Desktop\Renamed.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.



((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\windows\system32\fjhdyfhsn.bat

c:\windows\system32\uninstall.exe



.

((((((((((((((((((((((((( Files Creati Da 2010-03-28 al 2010-04-30 )))))))))))))))))))))))))))))))))))

.



2010-04-29 17:54 . 2010-04-29 17:56 -------- d-----w- c:\programmi\iTunes

2010-04-29 17:42 . 2010-04-29 17:42 -------- d-----w- c:\programmi\Bonjour

2010-04-29 17:40 . 2010-04-29 17:40 73000 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-25 22:47 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-04-25 22:47 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-04-25 22:47 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-04-25 22:46 . 2010-04-25 22:46 -------- d-----w- c:\programmi\Avira

2010-04-25 22:46 . 2010-04-25 22:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira

2010-04-25 10:12 . 2010-04-25 10:12 -------- d-----w- c:\documents and settings\ameloni\Impostazioni locali\Dati applicazioni\FreeFixer

2010-04-25 10:12 . 2010-04-25 10:12 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\FreeFixer

2010-04-25 10:12 . 2010-04-25 10:12 -------- d-----w- c:\programmi\FreeFixer

2010-04-24 14:39 . 2001-08-30 21:07 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-04-24 14:39 . 2008-04-14 02:13 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-04-24 10:46 . 2010-04-24 10:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-24 10:25 . 2010-04-24 10:25 -------- d-----w- c:\programmi\Apple Software Update

2010-04-24 10:21 . 2009-10-16 00:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-04-24 10:21 . 2009-10-16 00:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-20 20:20 . 2010-04-20 20:20 -------- d-----w- c:\documents and settings\ameloni\Impostazioni locali\Dati applicazioni\Threat Expert

2010-04-20 09:13 . 2010-04-20 09:13 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-20 08:39 . 2010-04-20 10:35 -------- d-----w- c:\programmi\a-squared Free

2010-04-20 08:10 . 2010-04-21 07:58 -------- d-----w- c:\programmi\Spyware Doctor

2010-04-20 08:10 . 2010-04-20 23:08 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP

2010-04-19 18:29 . 2010-04-19 18:29 -------- d-sh--w- c:\documents and settings\ameloni\IECompatCache

2010-04-14 09:19 . 2010-04-15 13:08 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\M24_AFC

2010-04-14 09:06 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2010-04-14 09:06 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys

2010-04-08 11:20 . 2010-04-08 11:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 11:20 . 2010-04-08 11:20 107808 ----a-w- c:\windows\system32\dns-sd.exe



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-30 08:43 . 2007-07-02 15:19 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\Skype

2010-04-30 08:25 . 2007-07-02 15:08 -------- d-----w- c:\programmi\Symantec AntiVirus

2010-04-29 17:55 . 2006-06-16 07:47 -------- d-----w- c:\programmi\iPod

2010-04-29 17:54 . 2007-08-03 13:33 -------- d-----w- c:\programmi\File comuni\Apple

2010-04-25 09:47 . 2004-09-09 07:37 65292 ----a-w- c:\windows\system32\perfc010.dat

2010-04-25 09:47 . 2004-09-09 07:37 430148 ----a-w- c:\windows\system32\perfh010.dat

2010-04-25 00:15 . 2010-04-25 00:15 8 ----a-w- c:\documents and settings\LocalService\Dati applicazioni\kcmdte.dat

2010-04-24 11:05 . 2007-07-04 08:13 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\Apple Computer

2010-04-24 11:04 . 2007-08-03 13:33 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Apple

2010-04-24 10:35 . 2006-06-16 07:50 -------- d-----w- c:\programmi\QuickTime

2010-04-19 17:02 . 2010-02-13 18:29 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\HPAppData

2010-04-14 08:48 . 2010-03-18 12:03 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-04-14 08:48 . 2010-03-18 12:03 5918776 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 22:49 . 2006-04-05 11:03 -------- d-----w- c:\programmi\File comuni\Java

2010-03-30 22:49 . 2010-03-30 22:49 503808 ----a-w- c:\documents and settings\ameloni\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e0bd747-n\msvcp71.dll

2010-03-30 22:49 . 2010-03-30 22:49 499712 ----a-w- c:\documents and settings\ameloni\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e0bd747-n\jmc.dll

2010-03-30 22:49 . 2010-03-30 22:49 348160 ----a-w- c:\documents and settings\ameloni\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e0bd747-n\msvcr71.dll

2010-03-30 22:49 . 2010-03-30 22:49 61440 ----a-w- c:\documents and settings\ameloni\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-659c143e-n\decora-sse.dll

2010-03-30 22:49 . 2010-03-30 22:49 12800 ----a-w- c:\documents and settings\ameloni\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-659c143e-n\decora-d3d.dll

2010-03-30 22:48 . 2006-04-05 11:03 -------- d-----w- c:\programmi\Java

2010-03-29 22:46 . 2010-03-18 12:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 22:45 . 2010-03-18 12:03 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-22 20:37 . 2010-03-22 19:38 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\PC Suite

2010-03-22 20:30 . 2010-03-22 20:30 34513376 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_ita_web[1].exe

2010-03-22 19:50 . 2010-03-22 19:38 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\Nokia

2010-03-22 19:48 . 2010-03-22 19:30 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Installations

2010-03-22 19:40 . 2010-03-22 19:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf

2010-03-22 19:40 . 2010-03-22 19:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2010-03-22 19:38 . 2010-03-22 19:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PC Suite

2010-03-22 19:33 . 2010-03-22 19:33 -------- d-----w- c:\programmi\File comuni\PCSuite

2010-03-22 19:33 . 2010-03-22 19:33 -------- d-----w- c:\programmi\File comuni\Nokia

2010-03-22 19:33 . 2010-03-22 19:31 -------- d-----w- c:\programmi\Nokia

2010-03-22 19:32 . 2010-03-22 19:32 -------- d-----w- c:\programmi\DIFX

2010-03-22 19:32 . 2010-03-22 19:32 -------- d-----w- c:\programmi\PC Connectivity Solution

2010-03-22 19:30 . 2010-03-22 19:30 95232 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe

2010-03-22 19:30 . 2010-03-22 19:30 8192 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe

2010-03-22 19:30 . 2010-03-22 19:30 61440 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe

2010-03-22 19:30 . 2010-03-22 19:30 10240 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe

2010-03-22 19:30 . 2010-03-22 19:30 34513376 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_ita_web.exe

2010-03-22 19:19 . 2010-03-22 19:19 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-03-18 12:03 . 2010-03-18 12:03 -------- d-----w- c:\documents and settings\ameloni\Dati applicazioni\Malwarebytes

2010-03-18 12:03 . 2010-03-18 12:03 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes

2010-03-10 06:15 . 2004-09-09 07:37 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 02:28 . 2009-01-31 17:18 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-08 16:53 . 2010-02-13 18:23 -------- d-----w- c:\programmi\Yahoo!

2010-03-08 16:47 . 2009-07-23 06:57 -------- d-----w- c:\programmi\3 Internet

2010-02-25 06:16 . 2004-09-09 07:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2006-04-05 10:48 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 12:05 . 2004-09-09 07:37 2193664 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 19:05 . 2004-08-19 14:34 2070528 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-13 18:59 . 2010-02-13 18:02 204505 ----a-w- c:\windows\hpoins46.dat

2010-02-13 18:31 . 2007-07-05 16:57 69280 ----a-w- c:\documents and settings\ameloni\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT

2010-02-12 10:03 . 2010-03-23 07:55 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:33 . 2004-09-09 07:36 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-09-09 07:37 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.



((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\programmi\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShowLOMControl"="1 (0x1)" [X]

"Apoint"="c:\programmi\Apoint\Apoint.exe" [2005-10-07 176128]

"IntelWireless"="c:\programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"Dell QuickSet"="c:\programmi\Dell\QuickSet\quickset.exe" [2005-12-15 839680]

"DVDLauncher"="c:\programmi\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"UpdateManager"="c:\programmi\File comuni\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-27 125536]

"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]

"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2010-03-17 421888]

"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2010-04-28 142120]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]



c:\documents and settings\ameloni\Menu Avvio\Programmi\Esecuzione automatica\

Utilit… controllo supporti di Picture Motion Browser.lnk - c:\programmi\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-8-7 385024]



c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\

Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Digital Line Detect.lnk - c:\programmi\Digital Line Detect\DLG.exe [2006-4-5 24576]

HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 15:08 110592 ----a-w- c:\programmi\Intel\Wireless\Bin\LgNotify.dll



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"



[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Programmi\\Messenger\\msmsgs.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Programmi\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=

"c:\\Programmi\\iTunes\\iTunes.exe"=

"c:\\Programmi\\Skype\\Phone\\Skype.exe"=



R2 a2free;a-squared Free Service;c:\programmi\a-squared Free\a2service.exe [20/04/2010 10.39.36 1872320]

R2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [05/05/2006 16.07.58 258048]

R2 SavRoam;SAVRoam;c:\programmi\Symantec AntiVirus\SavRoam.exe [27/11/2006 16.31.42 119392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/03/2010 18.56.34 102448]

S3 cmusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2051;c:\windows\system32\drivers\cmusbser.sys [26/12/2008 21.47.59 103552]

S3 MA8630C;MA8630C;c:\windows\system32\drivers\MA8630C.sys [09/08/2006 17.19.36 23248]

S3 MA8630M;MA8630M;c:\windows\system32\drivers\MA8630M.sys [09/08/2006 17.19.36 25428]

S3 MA8630U;MA8630U;c:\windows\system32\drivers\MA8630U.sys [09/08/2006 17.19.36 50769]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contenuto della cartella 'Scheduled Tasks'



2010-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

.

.

------- Scansione supplementare -------

.

uStart Page = hxxp://www.ilsole24ore.com/

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.it/s/v/56.20/uploader2.cab

DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} - hxxp://selfcare.tiscali.it/scripts/oneclick/ConnessioneTiscali.cab

.

- - - - CHIAVI ORFANE RIMOSSE - - - -



Toolbar-Locked - (no file)

AddRemove-mare6 Screen Saver - c:\windows\system32\uninstall.exe







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-30 10:43

Windows 5.1.2600 Service Pack 3 NTFS



scansione processi nascosti ...



scansione entrate autostart nascoste ...



Scansione files nascosti ...



Scansione completata con successo

Files nascosti: 0



**************************************************************************



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccmsetup]

"ImagePath"="\"c:\windows\system32\ccmsetup\ccmsetup.exe\" /runservice /config:MobileClient.tcf"

.

--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------



[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ř•€|˙˙˙˙•€|ů•9~*]

"01400E0900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- Dlls caricate dai processi in esecuzione ---------------------



- - - - - - - > 'winlogon.exe'(940)

c:\programmi\Intel\Wireless\Bin\LgNotify.dll

.

Ora fine scansione: 2010-04-30 10:45:41

ComboFix-quarantined-files.txt 2010-04-30 08:45



Pre-Run: 9.552.953.344 byte disponibili

Post-Run: 9.909.940.224 byte disponibili



WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect



- - End Of File - - 4347AFC00289C1D4BE6510D7ECEEE609

Attached Files


Edited by Blade Zephon, 30 April 2010 - 08:49 AM.
Moved log into body of reply to facilitate analysis. Please do not attach logs unless the board software will not allow you to paste them directly. Thanks!


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:19 PM

Posted 30 April 2010 - 08:53 AM

Hello marilla.

Sorry for the delay; finals are this week >.<

I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Symantec Antivirus or Avira Antivir Desktop.

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log
How is the computer running now

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 marilla

marilla
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 May 2010 - 08:36 AM

Hi Blade!

I removed Symantec Antivirus (and also Freefixer). I didn't remove Symantec Live Update since when I was removing it a pop up informed me that some application are registred with Symantec Live Update... huh.gif I didn't know what to do so....it's still there!
Then I followed your instructions (you will find the log in attachment).
The pc is working, it seems having a good speed and no more virus, malware or others appeared........till now! Keeping fingers crossed... smile.gif
I try to be sure that the antivirus correctly updates every single day and once in a while Malwarebytes makes a full scan!

Do you still see something of souspicious in my logs? Do you think I need to remove something else?

Many thanks again for your help and good luck for your finals!!! smile.gif

Marilla

Attached Files



#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:19 PM

Posted 03 May 2010 - 12:25 AM

Hi Marilla. . . Just a couple things and then we'll finish up.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 20.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

***************************************************

Your Adobe Reader is out of date. Please uninstall it through Add/Remove Programs and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

***************************************************
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************

Your machine appears to be clean!

If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfection
I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select at least one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:19 PM

Posted 09 May 2010 - 06:29 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users