Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
8 replies to this topic

#1 valeria

valeria

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 12 April 2006 - 09:05 AM

Hi Guys! I'm new to this forum and I'm not exactly a pc-expert :thumbsup: ..... so please help me in very simple way to restore my mom's pc .... Pleaaaaase :flowers:

I loaded Ativir (the red unbrella one) and it detects 2 worms, but it seams unable to detate them as the detection windows appear again and again every 30 sec :huh:
  • Worm/CodBot.Z (SCardClnt.exe)
  • Worm/Rbot.225280.4 (Keys.exe)
Here the hijack log list follows .... please help me!

Thank you so much everybody anyway!!!

Vale





Logfile of HijackThis v1.99.1
Scan saved at 3:37:53 PM, on 4/12/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Programmi\Winamp\winampa.exe
C:\WINNT\loadqm.exe
C:\Program Files\Libero\Adsl\dslstat.exe
C:\Program Files\Libero\Adsl\dslagent.exe
C:\WINNT\System32\keys.exe
C:\WINNT\System32\internat.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\HijackThis\HijackThis.exe
C:\Programmi\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Libero\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
O4 - HKLM\..\Run: [licli] li.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Msn Messenger] keys.exe
O4 - HKLM\..\RunServices: [Msn Messenger] keys.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\vxpewcnr.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe

BC AdBot (Login to Remove)

 


#2 valeria

valeria
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 13 April 2006 - 03:16 AM

Sorry for bothering you again .... :thumbsup: .... but just a little hint.... I really do not have a clue....even a link where I can have a look...

I will be so grateful....

vale

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:11 AM

Posted 19 April 2006 - 12:06 PM

Hi there and welcome to Bleeping Computer ! :thumbsup:
As you may have noticed already, the forums are very busy at the moment and i have noticed your log has gone unanswered so far!
We look at the oldest logs first, and we were wondering that if you still need help, please start by posting a new HijackThis log in this topic and i will then be able to take a look!
Thanks very much :flowers:
David

#4 valeria

valeria
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 22 April 2006 - 05:17 AM

Hi David!!! Thank you for your wellcome and for your reply!!

Well, actually I've trayed so many things that I even forget what I did :thumbsup: .... I think I manage to fix a couple of things.... but there's something that doesn't work properly yet :flowers:

While I'm connected several windows pop-up, all from Messanger Sercices saying something like: "Critical system faliure! High risk infection in system registry! Go to www. regsaver.com or regfixes.com or adsbuster.com etc..." Is it a kind of worm? or what? (maybe is it true???)

By the way this is my Hijackthis:


Logfile of HijackThis v1.99.1
Scan saved at 10:57:07 AM, on 4/22/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Programmi\Winamp\winampa.exe
C:\Program Files\Libero\Adsl\dslstat.exe
C:\Program Files\Libero\Adsl\dslagent.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\internat.exe
C:\PROGRA~2\Greatis\REGRUN~1\WatchDog.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Libero\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Yahoo! Messenger] sodj.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Msn Messenger] keys.exe
O4 - HKLM\..\RunServices: [Yahoo! Messenger] sodj.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~2\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\vxpewcnr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B94D4D4-6DC8-4A60-B448-DA23CAF50059}: NameServer = 193.70.152.15 193.70.152.25
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe



Thank you so much anyway :huh:
Vale

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:11 AM

Posted 22 April 2006 - 01:30 PM

Hi valeria!

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

* Please set your system to show all files; please see here if you're unsure how to do this.

* The Windows "Messenger Service" is being exploited to spray the Internet with unsolicited commercial eMail. The receipt of a single UDP packet can cause a "Messenger Service" dialog to pop-up on the user's screen. It is possible for the sender to "spoof" (falsify) the packet's "Source IP", making these packets impossible to trace back to their origin................
Windows Messenger Service

The first thing to understand is that the Windows Messenger Service is completely different from, and not in any way related to, "MSN Messenger", "Windows Messenger", or any other well-known instant messaging system. Therefore, disabling the Windows Messenger service will have no effect upon your use of any other instant messaging applications. They will continue to work without trouble.

To block the spam is to turn off Messenger Service.

Click Start>>Settings>>Control Panel

--Double click Administrative Tools
--Double click Services
--Double click Messenger
--Under Service Status, click Stop
--In the box next to Startup Type, select Disabled
--Click Apply>>OK

Alternatively, you can download a small program that will disable Messenger Service for you Called Shoot The Messenger. It's available at: http://www.grc.com/stm/shootthemessenger.htm

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O4 - HKLM\..\Run: [Yahoo! Messenger] sodj.exe
O4 - HKLM\..\RunServices: [Msn Messenger] keys.exe
O4 - HKLM\..\RunServices: [Yahoo! Messenger] sodj.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\vxpewcnr.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINNT\system32\odj.exe
C:\WINNT\system32\keys.exe
C:\Program Files\Internet Explorer\vxpewcnr.exe

* Please reboot back to normal mode and please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report along with a new Hijackthis log.
David

Edited by D-Trojanator, 22 April 2006 - 01:31 PM.


#6 valeria

valeria
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 23 April 2006 - 08:43 AM

Hi David!!!!

Unbelievable!!! I've done everything (thank you you've been so clear and detailed :thumbsup: )..... und the pc is full of crap things :flowers:

Here the panda scan report...


Incident Status Location

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\t21uvztz.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\t21uvztz.default\cookies.txt[.seeq.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\t21uvztz.default\cookies.txt[www48.seeq.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\t21uvztz.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\t21uvztz.default\cookies.txt[]
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\ecncvnoo.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\elqwwogt.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\euycesqd.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\ftdunydc.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\htmbpjhh.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\ihcjfzrt.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\jjnmjkya.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\jtswa.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\mtupgrxu.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\ndcrthmz.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\owetllks.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\owvqgbzb.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\qwgwnfbz.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\rfwwlesc.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\rrtssgtg.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\skeczewq.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\snwzviet.exe
Dialer:Dialer.DPC Not disinfected C:\Program Files\Internet Explorer\sxzvxcqm.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\tqcswldk.exe
Dialer:Dialer.BSV Not disinfected C:\Program Files\Internet Explorer\utunvygj.exe
Virus:W32/Zafi.C.worm Disinfected Cartelle locali\Posta in arrivo\Ti amo!!\mail_title.doc = ' Dicono sia la primavera, invece sei tu che mi fai girar la testa. Ogni grande amore comincia con un fiore! Quando sto con te, il mio cuore!!....'



and here we go with the hjt....


Logfile of HijackThis v1.99.1
Scan saved at 3:39:23 PM, on 4/23/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Programmi\Winamp\winampa.exe
C:\Program Files\Libero\Adsl\dslstat.exe
C:\Program Files\Libero\Adsl\dslagent.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\internat.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\PROGRA~2\Greatis\REGRUN~1\WatchDog.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Libero\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Msn Messenger] keys.exe
O4 - HKLM\..\RunServices: [Yahoo! Messenger] sodj.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~2\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B94D4D4-6DC8-4A60-B448-DA23CAF50059}: NameServer = 193.70.152.15 193.70.152.25
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe



Am I wrong or

O4 - HKLM\..\RunServices: [Msn Messenger] keys.exe
O4 - HKLM\..\RunServices: [Yahoo! Messenger] sodj.exe


shouldn't be there :huh: ... I thought I deleted !!!


thank you
Valeria

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:11 AM

Posted 23 April 2006 - 08:57 AM

Hi Valeria!

I think that a tool you have was interfering with the fix. While AdWatch is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable AdWatch for now until you are clean. AdWatch can be re-activated once your HijackThis log is clean.
  • Open AdAware SE.
  • Click AdWatch User Interface.
  • Click Tools and Preferences.
  • Uncheck the boxes against both Active and Automatic.
Don't forget to re-start AdWatch when your machine is clean by re-checking the boxes.
You have a program called "WatchDog" which I think is also stopping the fix. You should see an icon for it in your taskbar - right click on it and click exit.

* Please download ATF Cleaner by Atribune.
Don't run it yet.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O4 - HKLM\..\RunServices: [Msn Messenger] keys.exe
O4 - HKLM\..\RunServices: [Yahoo! Messenger] sodj.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Download KillBox from here
Unzip the folder to your desktop.
Don't run it yet.

* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Program Files\Internet Explorer\ecncvnoo.exe
C:\Program Files\Internet Explorer\elqwwogt.exe
C:\Program Files\Internet Explorer\euycesqd.exe
C:\Program Files\Internet Explorer\ftdunydc.exe
C:\Program Files\Internet Explorer\htmbpjhh.exe
C:\Program Files\Internet Explorer\ihcjfzrt.exe
C:\Program Files\Internet Explorer\jjnmjkya.exe
C:\Program Files\Internet Explorer\jtswa.exe
C:\Program Files\Internet Explorer\mtupgrxu.exe
C:\Program Files\Internet Explorer\ndcrthmz.exe
C:\Program Files\Internet Explorer\owetllks.exe
C:\Program Files\Internet Explorer\owvqgbzb.exe
C:\Program Files\Internet Explorer\qwgwnfbz.exe
C:\Program Files\Internet Explorer\rfwwlesc.exe
C:\Program Files\Internet Explorer\rrtssgtg.exe
C:\Program Files\Internet Explorer\skeczewq.exe
C:\Program Files\Internet Explorer\snwzviet.exe
C:\Program Files\Internet Explorer\sxzvxcqm.exe
C:\Program Files\Internet Explorer\tqcswldk.exe
C:\Program Files\Internet Explorer\utunvygj.exe
C:\WINNT\System32\keys.exe
C:\WINNT\System32\sodj.exe


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any fPendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* After the reboot Double-click ATF Cleaner to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Please post back with a new Hijackthis log and a new panda log.
David

#8 valeria

valeria
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 26 April 2006 - 12:02 PM

Hi David!
Thank you so much for your prompt and detailed replay!

I come back home and I couldn't go on with the ... let's say "my mom's pc bring back to life mission ".... I think it will be kind of hard, but I will try to direct my mom doing the repair by herself by telephone... let us see what happens.. :thumbsup:

By the way thank yoooooooooou! You've been like an angel :flowers: and I've learnt so many things too!

bye bye
Vale

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:11 AM

Posted 27 April 2006 - 10:49 AM

Hey Vale!

It will be kind of hard doing it over the telephone :thumbsup:, however I wsh you the best of luck and of course if you have any questions don't hesitate to ask.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users