Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With ?


  • Please log in to reply
18 replies to this topic

#1 alexidro

alexidro

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 20 June 2006 - 02:45 PM

Hi, i'm Alessandro from Bologna, Italy
Sorry for my language but here English is not teached very well.
I post because about 1 week ago my 12 years old brother got something not friendly browsing the web.
I don't know exactly what it is because Norton Antivirus stopped to work since that day.
Every time i reboot my PC i can see a 3 words program running in the first time. I can't stop the process, access denied, but it stop by itself after a while. Everytime i reboot the 3words name is different, it's like if it creates everytime a copy of itself with another name. I browsed for it and i found 3 files *.exe in the directory C:\Program Files. Two of these are visible and i can delete it, but one is hidden and i can't because it's write-protected and i can't change propeties because it's belongs to another user named HIX but this user is not registered in my computer!
Last time i rebooted was created another *.exe file protected in the same way, but not 3 words, named AkaYMx.exe
This situation creates my computer continuously crash, antivirus doesn't work, and the internet connection work very very slow.
I did everything in my capabilities to kill them but nothing work, everytime something re-creates these files, i hope in your help.

This is my Hijack log file:

Logfile of HijackThis v1.99.1
Scan saved at 21.02.41, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {93DDF7F9-BDCD-1D81-BE7F-64906796D303} - C:\WINDOWS\eigpq1.dll (file missing)
O2 - BHO: Class - {A2467C62-D38B-2BFB-3E58-2EEDE36F0B97} - C:\WINDOWS\eigpq1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hlxpi.exe] C:\WINDOWS\system32:hlxpi.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe


Thank You,
Alessandro

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 20 June 2006 - 03:13 PM

Your English is very good - do not appologize - I can speak no Italian and not much French having lived in Geneva!

Let do a deep scan

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
Ě Install ewido.
Ě During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Ě Launch ewido
Ě It will prompt you to update click the OK button and it will go to the main screen
Ě On the left side of the main screen click update
Ě Click on Start and let it update.
Ě DO NOT run a scan yet. You will do that later in safe mode.
Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
Ě Click on scanner
Ě Click Complete System Scan and the scan will begin.
Ě During the scan it will prompt you to clean files, click OK
Ě When the scan is finished, look at the bottom of the screen and click the Save report button.
Ě Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 alexidro

alexidro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 21 June 2006 - 07:05 AM

I did what you suggested.
Here it is Ewido log...:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 13.26.19 21/06/2006

+ Scan result:



C:\WINDOWS\Temp\hkki1.exe -> Downloader.Agent.akq : Cleaned.
C:\Programmi\eMule\Incoming\Easy.Web.Editor.v3.16.163.294.Cracked-HERETiC(1).zip/Easy.Web.Editor.v3.16.163.294.Cracked-HERETiC/setup.exe -> Dropper.Small.mt : Cleaned.
C:\WINDOWS\system32:hlxpi.exe -> Hijacker.Small.lc : Cleaned.
C:\Programmi\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs -> Not-A-Virus.BadJoke.JS.RJump : Cleaned.
C:\Documents and Settings\Dona\Impostazioni locali\Temporary Internet Files\Content.IE5\69CTF2CH\script-2[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned.
F:\Riparazione Computer\WinXP-NT-2K.Password.Hacker..zip/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned.
F:\Riparazione Computer\WinXP-NT-2K.Password.Hacker..zip/run/pwdump2.exe -> Not-A-Virus.PSWTool.Win32.PWDump2 : Cleaned.
F:\Riparazione Computer\WinXP-NT-2K.Password.Hacker..zip/run/samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Cleaned.
C:\Documents and Settings\Alby\Cookies\alby@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alex\Cookies\alex@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Alby\Cookies\alby@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Mauro\Cookies\mauro@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@estat[1].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\Mauro\Cookies\mauro@ehg-sonyesolutions.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mauro\Cookies\mauro@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mauro\Cookies\mauro@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Dona\Cookies\dona@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.


::Report end



...an here is Hijack's:

Logfile of HijackThis v1.99.1
Scan saved at 13.34.39, on 21/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {93DDF7F9-BDCD-1D81-BE7F-64906796D303} - C:\WINDOWS\eigpq1.dll (file missing)
O2 - BHO: Class - {A2467C62-D38B-2BFB-3E58-2EEDE36F0B97} - C:\WINDOWS\eigpq1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 June 2006 - 09:02 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT ľ mark them, close IE, click fix checked

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {93DDF7F9-BDCD-1D81-BE7F-64906796D303} - C:\WINDOWS\eigpq1.dll (file missing)

O2 - BHO: Class - {A2467C62-D38B-2BFB-3E58-2EEDE36F0B97} - C:\WINDOWS\eigpq1.dll (file missing)

START ľ RUN ľ type in %temp% OK - Edit ľ Select all ľ File ľ Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didnĺt work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 alexidro

alexidro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 21 June 2006 - 10:12 AM

OK here it is a new HJT log after did your instuctions, but the 3 words files in C:\Program Files seems not going to leave, and one of them continue to starts at every reboot and then stop automatically changing his name every time. I found another 3 words exe file browsing a user folder and it won't be deleted like the others. It is in a "documents and settings\usrename\local settings\temp" directory, what i have to do now? Do you know what kind of file are theese and how to delete them? I tried with Killbox, that worked some times ago with different kinds of files of difficult deleting, but not this time. Have you suggestions?
For the moment thanks a lot, at least my PC is more speedy at startup now!


Logfile of HijackThis v1.99.1
Scan saved at 16.54.33, on 21/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks,
Alessandro

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 June 2006 - 11:14 AM

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 alexidro

alexidro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 22 June 2006 - 09:03 AM

Here it is, it seems like starts to work:


********
13.04: | Start of Session, giovedý 22 giugno 2006 |
13.04: Spy Sweeper started
13.04: Sweep initiated using definitions version 704
13.04: Starting Memory Sweep
13.12: Memory Sweep Complete, Elapsed Time: 00.07.37
13.12: Starting Registry Sweep
13.12: Registry Sweep Complete, Elapsed Time:00.00.43
13.13: Starting Cookie Sweep
13.13: Found Spy Cookie: webtrends cookie
13.13: alex@m.webtrends[2].txt (ID = 3669)
13.13: Found Spy Cookie: mediaplex cookie
13.13: alex@mediaplex[1].txt (ID = 6442)
13.13: Cookie Sweep Complete, Elapsed Time: 00.00.01
13.13: Starting File Sweep
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028319.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028348.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028446.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028357.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028371.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028089.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028455.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028373.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028400.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028063.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028087.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028090.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028624.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028418.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028410.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028427.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028463.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028485.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028555.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028534.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028610.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030624.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028080.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028372.exe". Accesso negato
13.21: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030650.exe". Accesso negato
13.22: Warning: Failed to open file "c:\programmi\jyi.exe". Accesso negato
13.22: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030633.exe". Accesso negato
13.38: Warning: Failed to open file "c:\programmi\ijg.exe". Accesso negato
13.38: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030673.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030727.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030685.exe". Accesso negato
14.06: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028027.exe". Accesso negato
14.27: Found System Monitor: potentially rootkit-masked files
14.27: eigpq1.dll (ID = 0)
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.48: File Sweep Complete, Elapsed Time: 01.35.03
14.48: Full Sweep has completed. Elapsed time 01.25.36
14.48: Traces Found: 3
15.50: Removal process initiated
15.50: Quarantining All Traces: potentially rootkit-masked files
15.50: potentially rootkit-masked files is in use. It will be removed on reboot.
15.50: eigpq1.dll is in use. It will be removed on reboot.
15.50: Quarantining All Traces: mediaplex cookie
15.50: Quarantining All Traces: webtrends cookie
15.51: Preparing to restart your computer. Please wait...
15.51: Removal process completed. Elapsed time 00.00.35
********
10.05: | Start of Session, giovedý 22 giugno 2006 |
10.05: Spy Sweeper started
10.06: Updating spyware definitions
10.07: Your spyware definitions have been updated.
13.04: | End of Session, giovedý 22 giugno 2006 |




Logfile of HijackThis v1.99.1
Scan saved at 15.59.06, on 22/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

Here it is, it seems like starts to work:


********
13.04: | Start of Session, giovedý 22 giugno 2006 |
13.04: Spy Sweeper started
13.04: Sweep initiated using definitions version 704
13.04: Starting Memory Sweep
13.12: Memory Sweep Complete, Elapsed Time: 00.07.37
13.12: Starting Registry Sweep
13.12: Registry Sweep Complete, Elapsed Time:00.00.43
13.13: Starting Cookie Sweep
13.13: Found Spy Cookie: webtrends cookie
13.13: alex@m.webtrends[2].txt (ID = 3669)
13.13: Found Spy Cookie: mediaplex cookie
13.13: alex@mediaplex[1].txt (ID = 6442)
13.13: Cookie Sweep Complete, Elapsed Time: 00.00.01
13.13: Starting File Sweep
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028319.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028348.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028446.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028357.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028371.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028089.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028455.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028373.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028400.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028063.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028087.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028090.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028624.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028418.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028410.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028427.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028463.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028485.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028555.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028534.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028610.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030624.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028080.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028372.exe". Accesso negato
13.21: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030650.exe". Accesso negato
13.22: Warning: Failed to open file "c:\programmi\jyi.exe". Accesso negato
13.22: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030633.exe". Accesso negato
13.38: Warning: Failed to open file "c:\programmi\ijg.exe". Accesso negato
13.38: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030673.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030727.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030685.exe". Accesso negato
14.06: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028027.exe". Accesso negato
14.27: Found System Monitor: potentially rootkit-masked files
14.27: eigpq1.dll (ID = 0)
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.48: File Sweep Complete, Elapsed Time: 01.35.03
14.48: Full Sweep has completed. Elapsed time 01.25.36
14.48: Traces Found: 3
15.50: Removal process initiated
15.50: Quarantining All Traces: potentially rootkit-masked files
15.50: potentially rootkit-masked files is in use. It will be removed on reboot.
15.50: eigpq1.dll is in use. It will be removed on reboot.
15.50: Quarantining All Traces: mediaplex cookie
15.50: Quarantining All Traces: webtrends cookie
15.51: Preparing to restart your computer. Please wait...
15.51: Removal process completed. Elapsed time 00.00.35
********
10.05: | Start of Session, giovedý 22 giugno 2006 |
10.05: Spy Sweeper started
10.06: Updating spyware definitions
10.07: Your spyware definitions have been updated.
13.04: | End of Session, giovedý 22 giugno 2006 |




Logfile of HijackThis v1.99.1
Scan saved at 15.59.06, on 22/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

Here it is, it seems like starts to work:


********
13.04: | Start of Session, giovedý 22 giugno 2006 |
13.04: Spy Sweeper started
13.04: Sweep initiated using definitions version 704
13.04: Starting Memory Sweep
13.12: Memory Sweep Complete, Elapsed Time: 00.07.37
13.12: Starting Registry Sweep
13.12: Registry Sweep Complete, Elapsed Time:00.00.43
13.13: Starting Cookie Sweep
13.13: Found Spy Cookie: webtrends cookie
13.13: alex@m.webtrends[2].txt (ID = 3669)
13.13: Found Spy Cookie: mediaplex cookie
13.13: alex@mediaplex[1].txt (ID = 6442)
13.13: Cookie Sweep Complete, Elapsed Time: 00.00.01
13.13: Starting File Sweep
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028319.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028348.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028446.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028357.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028371.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028089.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028455.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028373.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028400.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028063.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028087.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028090.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028624.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028418.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028410.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028427.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028463.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028485.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028555.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028534.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028610.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030624.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028080.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028372.exe". Accesso negato
13.21: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030650.exe". Accesso negato
13.22: Warning: Failed to open file "c:\programmi\jyi.exe". Accesso negato
13.22: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030633.exe". Accesso negato
13.38: Warning: Failed to open file "c:\programmi\ijg.exe". Accesso negato
13.38: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030673.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030727.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030685.exe". Accesso negato
14.06: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028027.exe". Accesso negato
14.27: Found System Monitor: potentially rootkit-masked files
14.27: eigpq1.dll (ID = 0)
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.48: File Sweep Complete, Elapsed Time: 01.35.03
14.48: Full Sweep has completed. Elapsed time 01.25.36
14.48: Traces Found: 3
15.50: Removal process initiated
15.50: Quarantining All Traces: potentially rootkit-masked files
15.50: potentially rootkit-masked files is in use. It will be removed on reboot.
15.50: eigpq1.dll is in use. It will be removed on reboot.
15.50: Quarantining All Traces: mediaplex cookie
15.50: Quarantining All Traces: webtrends cookie
15.51: Preparing to restart your computer. Please wait...
15.51: Removal process completed. Elapsed time 00.00.35
********
10.05: | Start of Session, giovedý 22 giugno 2006 |
10.05: Spy Sweeper started
10.06: Updating spyware definitions
10.07: Your spyware definitions have been updated.
13.04: | End of Session, giovedý 22 giugno 2006 |




Logfile of HijackThis v1.99.1
Scan saved at 15.59.06, on 22/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F1936E1-E2CE-44AC-AC15-CFBE83485822}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 22 June 2006 - 09:20 AM

Run http://www.kaspersky.com/virusscanner - Online scan

When the scan is finished Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 alexidro

alexidro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 23 June 2006 - 03:53 AM

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, June 22, 2006 7:35:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 22/06/2006
Kaspersky Anti-Virus database records: 202037
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 127577
Number of viruses found: 7
Number of infected objects: 15
Number of suspicious objects: 4
Duration of the scan process: 02:17:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Dona\Impostazioni locali\Dati applicazioni\Identities\{C47A9100-8E79-4120-A635-3F0761B0A5C8}\Microsoft\Outlook Express\Posta inviata.dbx/[From "Donatella Zilioli" <damaboselli@libero.it>][Date Sun, 2 Apr 2006 15:51:25 +0200]/UNNAMED/_astonishing_banned.asx Infected: Trojan-Downloader.Win32.Agent.ahy skipped
C:\Documents and Settings\Dona\Impostazioni locali\Dati applicazioni\Identities\{C47A9100-8E79-4120-A635-3F0761B0A5C8}\Microsoft\Outlook Express\Posta inviata.dbx/[From "Donatella Zilioli" <damaboselli@libero.it>][Date Sun, 2 Apr 2006 15:51:25 +0200]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.ahy skipped
C:\Documents and Settings\Dona\Impostazioni locali\Dati applicazioni\Identities\{C47A9100-8E79-4120-A635-3F0761B0A5C8}\Microsoft\Outlook Express\Posta inviata.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Mauro\Impostazioni locali\Temporary Internet Files\Content.IE5\MO1EDXK9\d[1].gif Infected: Trojan-Downloader.Win32.Small.jh skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\00E565BD.tif Suspicious: Exploit.Win32.IMG-WMF sent to KL
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\067C6376.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Agent.ahy skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\067C6376.exe/stream Infected: Trojan-Downloader.Win32.Agent.ahy skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\067C6376.exe NSIS: infected - 2 skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\067C6376.exe CryptFF: infected - 2 skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\0B7C384D.par Infected: P2P-Worm.Win32.Backterra.d skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\49C5776C.tif Suspicious: Exploit.Win32.IMG-WMF sent to KL
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\73CD089B.tif Suspicious: Exploit.Win32.IMG-WMF sent to KL
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\755676AA.tif Suspicious: Exploit.Win32.IMG-WMF sent to KL
C:\System Volume Information\_restore{75EAF881-0BCB-4226-A630-E51FC9BC7635}\RP115\A0030736.dll Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped
F:\Riparazione Computer\Crack Windows Xp-2000-Nt Admin Password Crackwinkeyd(2).rar/Remote Administrator (Radmin) 2.2 + serial.rar/Remote Administrator (Radmin) 2.2/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
F:\Riparazione Computer\Crack Windows Xp-2000-Nt Admin Password Crackwinkeyd(2).rar/Remote Administrator (Radmin) 2.2 + serial.rar/Remote Administrator (Radmin) 2.2/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
F:\Riparazione Computer\Crack Windows Xp-2000-Nt Admin Password Crackwinkeyd(2).rar/Remote Administrator (Radmin) 2.2 + serial.rar/Remote Administrator (Radmin) 2.2/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
F:\Riparazione Computer\Crack Windows Xp-2000-Nt Admin Password Crackwinkeyd(2).rar/Remote Administrator (Radmin) 2.2 + serial.rar Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
F:\Riparazione Computer\Crack Windows Xp-2000-Nt Admin Password Crackwinkeyd(2).rar RAR: infected - 4 skipped

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 10.42.12, on 23/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 23 June 2006 - 10:39 AM

Empty the Norton AntiVirus\Quarantine

Find those Emails at the top of the list and delete them

==========
DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons ľ I do not recommend
using the Duplicates files button
as many dupes are there on purpose.

Not all files will delete ľ that is normal.

In the unnecessary button I check the top 4 entries

============
Empty the recycle bin


How are things???
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 alexidro

alexidro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 25 June 2006 - 03:01 AM

Hi, things are well but i don't think this is a very orthodox method to del three words files. That's my problem, remember? Do you know a program to forceby delete files better as killbox?

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 25 June 2006 - 09:31 AM

Please explain the word problem again - I looked at the first explaination and I don't uderstand

What do you mean by word files *.doc???
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 alexidro

alexidro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 26 June 2006 - 10:39 AM

I told you my english is bad!!!

Not a doc file, there are two *.exe files with names composed by a casual sequence of three words in c:\program files. At every reboot one of them autostart with windows (i don't know why becase there are no entries about that in the registry) and they change names every time they run. Now, the problem is that they are registered as another user, named HIX (don't exist in the pc's users list), and i don't have rights on them, because they are read-only files and i can't change propeties because i'm not "HIX". I tried with Killbox checking the option "delete on reboot" and in safe mode too, but nothing. I'm the admin of the system, why it does that?

You can see them in the topic's page no.7, there are lot of *.exe files in the spy sweeper log (2 in c:\programmi(program files)) signed with "Accesso negato"(Access denied). I need to remove them.

Thanks, Alessandro

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 26 June 2006 - 02:26 PM

Turn off restore points, boot, turn them back on ľ hereĺs how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Run Spysweeper again but run in safe mode
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 alexidro

alexidro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 27 June 2006 - 06:50 AM

Ok i run spy sweeper in safe mode disabling system restore points but the problem persist. This is the log:

********
12.17: | Start of Session, martedý 27 giugno 2006 |
12.17: Spy Sweeper started
12.17: Sweep initiated using definitions version 707
12.18: Starting Memory Sweep
12.20: Memory Sweep Complete, Elapsed Time: 00.02.52
12.20: Starting Registry Sweep
12.21: Registry Sweep Complete, Elapsed Time:00.00.39
12.21: Starting Cookie Sweep
12.21: Cookie Sweep Complete, Elapsed Time: 00.00.00
12.21: Starting File Sweep
12.23: Warning: Failed to open file "c:\programmi\ibl.exe". Accesso negato
12.29: Warning: Failed to open file "c:\programmi\jyi.exe". Accesso negato
13.06: File Sweep Complete, Elapsed Time: 00.44.51
13.06: Full Sweep has completed. Elapsed time 00.48.36
13.06: Traces Found: 0
********
13.04: | Start of Session, giovedý 22 giugno 2006 |
13.04: Spy Sweeper started
13.04: Sweep initiated using definitions version 704
13.04: Starting Memory Sweep
13.12: Memory Sweep Complete, Elapsed Time: 00.07.37
13.12: Starting Registry Sweep
13.12: Registry Sweep Complete, Elapsed Time:00.00.43
13.13: Starting Cookie Sweep
13.13: Found Spy Cookie: webtrends cookie
13.13: alex@m.webtrends[2].txt (ID = 3669)
13.13: Found Spy Cookie: mediaplex cookie
13.13: alex@mediaplex[1].txt (ID = 6442)
13.13: Cookie Sweep Complete, Elapsed Time: 00.00.01
13.13: Starting File Sweep
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028319.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028348.exe". Accesso negato
13.13: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028446.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028357.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028371.exe". Accesso negato
13.14: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028089.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028455.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028373.exe". Accesso negato
13.15: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028400.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028063.exe". Accesso negato
13.16: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028087.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028090.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028624.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028418.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028410.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028427.exe". Accesso negato
13.17: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028463.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp112\a0028485.exe". Accesso negato
13.18: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028555.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp113\a0028534.exe". Accesso negato
13.19: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0028610.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030624.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028080.exe". Accesso negato
13.20: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp110\a0028372.exe". Accesso negato
13.21: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030650.exe". Accesso negato
13.22: Warning: Failed to open file "c:\programmi\jyi.exe". Accesso negato
13.22: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030633.exe". Accesso negato
13.38: Warning: Failed to open file "c:\programmi\ijg.exe". Accesso negato
13.38: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030673.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030727.exe". Accesso negato
13.39: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp114\a0030685.exe". Accesso negato
14.06: Warning: Failed to open file "c:\system volume information\_restore{75eaf881-0bcb-4226-a630-e51fc9bc7635}\rp106\a0028027.exe". Accesso negato
14.27: Found System Monitor: potentially rootkit-masked files
14.27: eigpq1.dll (ID = 0)
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.27: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.31: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.32: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.33: Warning: Unhandled Archive Type
14.48: File Sweep Complete, Elapsed Time: 01.35.03
14.48: Full Sweep has completed. Elapsed time 01.25.36
14.48: Traces Found: 3
15.50: Removal process initiated
15.50: Quarantining All Traces: potentially rootkit-masked files
15.50: potentially rootkit-masked files is in use. It will be removed on reboot.
15.50: eigpq1.dll is in use. It will be removed on reboot.
15.50: Quarantining All Traces: mediaplex cookie
15.50: Quarantining All Traces: webtrends cookie
15.51: Preparing to restart your computer. Please wait...
15.51: Removal process completed. Elapsed time 00.00.35
15.57: Deletion from quarantine initiated
15.57: Processing: mediaplex cookie
15.57: Processing: potentially rootkit-masked files
15.57: Processing: webtrends cookie
15.57: Deletion from quarantine completed. Elapsed time 00.00.00
16.46: IE Tracking Cookies Shield: Removed tradedoubler cookie
16.46: IE Tracking Cookies Shield: Removed atlas dmt cookie
16.46: IE Tracking Cookies Shield: Removed 2o7.net cookie
16.47: IE Tracking Cookies Shield: Removed tradedoubler cookie
16.47: IE Tracking Cookies Shield: Removed atlas dmt cookie
16.47: IE Tracking Cookies Shield: Removed 2o7.net cookie
16.47: IE Tracking Cookies Shield: Removed 2o7.net cookie
16.48: IE Tracking Cookies Shield: Removed tradedoubler cookie
16.48: IE Tracking Cookies Shield: Removed tradedoubler cookie
16.50: IE Tracking Cookies Shield: Removed 2o7.net cookie
16.51: IE Tracking Cookies Shield: Removed 2o7.net cookie
16.51: IE Tracking Cookies Shield: Removed 2o7.net cookie
16.51: IE Tracking Cookies Shield: Removed 2o7.net cookie
16.51: IE Tracking Cookies Shield: Removed falkag cookie
16.51: IE Tracking Cookies Shield: Removed clicktracks cookie
16.52: IE Tracking Cookies Shield: Removed falkag cookie
16.55: IE Tracking Cookies Shield: Removed clicktracks cookie
16.56: IE Tracking Cookies Shield: Removed clicktracks cookie
17.00: IE Tracking Cookies Shield: Removed weborama cookie
17.01: IE Tracking Cookies Shield: Removed weborama cookie
17.01: IE Tracking Cookies Shield: Removed weborama cookie
17.02: IE Tracking Cookies Shield: Removed weborama cookie
10.37: Warning: Could not read persisted IE Hijack Setting value(1): HKU\S-1-5-21-1935655697-790525478-725345543-1009\Software\Webroot\SpySweeper\IEH\???????Ł??¸°─═▀▄╩┘╬¸Š┬╚┘─ě─═▀¸Ô┼▀╬┘┼╬▀?ţË█ă─┘╬┘¸Š╩┬┼°╬╩┘╚├?Ú╩┘\
18.26: BHO Shield: found: eigpq1.dll-- BHO installation allowed at user request
18.26: Your spyware definitions have been updated.
9.54: Processing Startup Alerts
9.54: Allowed Startup entry: NeroHomeFirstStart
16.46: IE Tracking Cookies Shield: Removed casalemedia cookie
16.46: IE Tracking Cookies Shield: Removed fastclick cookie
16.46: IE Tracking Cookies Shield: Removed fastclick cookie
16.47: IE Tracking Cookies Shield: Removed fastclick cookie
16.47: IE Tracking Cookies Shield: Removed fastclick cookie
16.47: IE Tracking Cookies Shield: Removed revenue.net cookie
16.47: IE Tracking Cookies Shield: Removed fastclick cookie
16.47: IE Tracking Cookies Shield: Removed fastclick cookie
16.47: IE Tracking Cookies Shield: Removed casalemedia cookie
16.48: IE Tracking Cookies Shield: Removed fastclick cookie
16.49: IE Tracking Cookies Shield: Removed casalemedia cookie
16.49: IE Tracking Cookies Shield: Removed fastclick cookie
9.39: Processing Startup Alerts
9.39: Removed Startup entry: hlxpi.exe
9.39: Removed Startup entry: MSMSGS
9.43: IE Tracking Cookies Shield: Removed 2o7.net cookie
9.43: IE Tracking Cookies Shield: Removed xiti cookie
9.52: IE Tracking Cookies Shield: Removed tribalfusion cookie
9.52: IE Tracking Cookies Shield: Removed tribalfusion cookie
9.53: IE Tracking Cookies Shield: Removed tribalfusion cookie
9.53: IE Tracking Cookies Shield: Removed tribalfusion cookie
15.12: IE Tracking Cookies Shield: Removed falkag cookie
20.49: Processing Startup Alerts
20.49: Removed Startup entry: hlxpi.exe
20.49: Removed Startup entry: MSMSGS
10.42: IE Tracking Cookies Shield: Removed casalemedia cookie
10.42: IE Tracking Cookies Shield: Removed casalemedia cookie
17.14: Warning: Accesso negato
18.08: Warning: Could not read persisted IE Hijack Setting value(1): HKU\S-1-5-21-1935655697-790525478-725345543-1009\Software\Webroot\SpySweeper\IEH\???????Ł??¸°─═▀▄╩┘╬¸Š┬╚┘─ě─═▀¸Ô┼▀╬┘┼╬▀?ţË█ă─┘╬┘¸Š╩┬┼°╬╩┘╚├?Ú╩┘\
9.31: Warning: Accesso negato
9.31: Processing Startup Alerts
9.31: Removed Startup entry: hlxpi.exe
9.31: Removed Startup entry: MSMSGS
9.37: IE Tracking Cookies Shield: Removed 2o7.net cookie
12.17: Program Version 4.5.9 (Build 709) Using Spyware Definitions 707
12.17: | End of Session, martedý 27 giugno 2006 |
********
10.05: | Start of Session, giovedý 22 giugno 2006 |
10.05: Spy Sweeper started
10.06: Updating spyware definitions
10.07: Your spyware definitions have been updated.
13.04: | End of Session, giovedý 22 giugno 2006 |




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users