Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log Analysis Required


  • This topic is locked This topic is locked
31 replies to this topic

#1 alessandrocancian

alessandrocancian

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 19 March 2007 - 03:08 AM

Hi,
I've got serious problems with explorer. It freezes frequently and works slowly. I've scanned the disk with AVG, but to no avail. Cen someone help me analysing the following log?

Logfile of HijackThis v1.99.1
Scan saved at 08:50:18 ق.ظ, on 2007/03/19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Oveis\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p USB -pn "hp LaserJet 1010 Series Driver" -n 0 -l -sl 120000
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887377994
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887357905
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Thanks

Alessandro

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 19 March 2007 - 03:53 AM

Welcome Alessandro :thumbsup:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

******************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply,along with a new Hijackthis log please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#3 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 19 March 2007 - 06:44 AM

Thanks,
I did it, here is the ATF's log:

"Oveis" - 07-03-19 12:25:05 Service Pack 1
ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Oveis\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Installer\fee2e.msi


((((((((((((((((((((((((((((((( Files Created from 2007-02-19 to 2007-03-19 ))))))))))))))))))))))))))))))))))


2007-03-15 09:57 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-03-15 09:55 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2007-03-15 09:29 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-03-15 09:29 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-03-15 09:29 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-03-15 09:28 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-03-15 09:28 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-03-15 09:27 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-03-15 09:27 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-03-15 09:26 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-03-15 09:26 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-03-15 09:26 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-03-15 09:26 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-03-15 09:26 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-03-15 09:26 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-03-15 09:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-03-15 09:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-03-15 09:26 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-03-15 09:26 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-03-15 09:25 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-03-15 09:21 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-03-15 07:59 <DIR> d--hs---- C:\FOUND.006
2007-02-22 08:57 <DIR> d--hs---- C:\FOUND.005
2007-02-22 08:07 <DIR> d-------- C:\WINDOWS\system32\bits
2007-02-22 08:04 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-02-22 08:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-02-22 08:04 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-02-20 14:58 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-02-20 14:58 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-02-20 14:58 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-02-20 14:58 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-02-20 14:58 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-02-20 14:58 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-02-20 14:58 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-02-20 14:58 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-02-20 07:49 <DIR> d--hs---- C:\FOUND.004
2007-02-19 15:17 <DIR> d-------- C:\Program Files\True Sword 4
2007-02-19 15:17 <DIR> d-------- C:\DOCUME~1\Oveis\APPLIC~1\.TrueSwordSettings
2007-02-19 13:33 86,016 -ra------ C:\WINDOWS\system32\ZLhp1020.dll
2007-02-19 13:33 397,312 -ra------ C:\WINDOWS\system32\zshp1020.exe
2007-02-19 13:33 28,672 -ra------ C:\WINDOWS\system32\zlm.dll
2007-02-19 13:33 143,360 -ra------ C:\WINDOWS\apptune1020.exe
2007-02-19 13:33 106,496 -ra------ C:\WINDOWS\system32\vshp1020.dll
2007-02-19 13:33 <DIR> d--h----- C:\Program Files\Zenographics
2007-02-19 13:33 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-02-19 13:30 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-02-19 13:30 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-02-19 13:30 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-02-19 13:30 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-02-19 13:30 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2007-02-19 13:18 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-02-19 13:16 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-02-19 13:16 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-02-19 13:16 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-02-19 13:16 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-02-19 13:16 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-02-19 13:16 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-02-19 13:16 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-02-19 12:59 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2007-02-19 12:58 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-02-19 11:24 <DIR> d-------- C:\lj1010seriesprintsys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))




(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"ATnotes.exe"="C:\\Program Files\\ATnotes\\ATnotes.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"OrderReminder"="C:\\Program Files\\Hewlett-Packard\\OrderReminder\\OrderReminder.exe"
@=""
"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"HPLJ Config"="C:\\Program Files\\Hewlett-Packard\\hp LaserJet 1010 Series\\SetConfig.exe -c Direct -p USB -pn \"hp LaserJet 1010 Series Driver\" -n 0 -l -sl 120000"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"1"="C:\\WINDOWS\\service32.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-19 12:29:30


I'll post a new HijackThis log in a second reply, because I cannot open it without freezing the system.

Thanks

Alessandro

#4 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 19 March 2007 - 06:52 AM

Hallo, here is the HijackThis new log.

Please help, the situation seems getting worst...

Logfile of HijackThis v1.99.1
Scan saved at 12:33:19 ب.ظ, on 2007/03/19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Oveis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p USB -pn "hp LaserJet 1010 Series Driver" -n 0 -l -sl 120000
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887377994
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887357905
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 19 March 2007 - 07:01 AM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

**********************************

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Post the AVG Anti Spyware report,the F-Secure report,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#6 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 19 March 2007 - 09:01 AM

Hallo,
I,ve followed your instructions, but when I try to scan online with f-secure, it gives me an error message. I've tried many times, but with the same result. It tells me to try again and appears (n.21).

Anyway, here are the Hijackthis and AVG anti Spyware logs:

Logfile of HijackThis v1.99.1
Scan saved at 02:51:27 ب.ظ, on 2007/03/19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Oveis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p USB -pn "hp LaserJet 1010 Series Driver" -n 0 -l -sl 120000
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887377994
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887357905
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe






AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 02:07:05 ب.ظ 2007/03/19

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
D:\Documents and Settings\wat\Cookies\wat@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Oveis\Cookies\oveis@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Oveis\Cookies\oveis@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\wat\Cookies\wat@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.


::Report end

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 19 March 2007 - 09:12 AM

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#8 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 20 March 2007 - 05:10 AM

Hi, after scanning the system seems working better.
Here are the logs required:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:28 ق.ظ, on 2007/03/20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Oveis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p USB -pn "hp LaserJet 1010 Series Driver" -n 0 -l -sl 120000
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887377994
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887357905
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
BitDefender Online Scanner



Scan report generated at: Tue, Mar 20, 2007 - 11:01:30





Scan path: A:\;C:\;D:\;E:\;







Statistics

Time
02:32:41

Files
276490

Folders
3261

Boot Sectors
3

Archives
1006

Packed Files
15822




Results

Identified Viruses
3

Infected Files
28

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
28




Engines Info

Virus Definitions
405811

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\WINDOWS\system32\Panda Software\ActiveScan2\pskahk.dll
Infected with: Generic.Malware.SIMDWYNVdprn.5487BF69

C:\WINDOWS\system32\Panda Software\ActiveScan2\pskahk.dll
Disinfection failed

C:\WINDOWS\system32\Panda Software\ActiveScan2\pskahk.dll
Deleted

C:\WINDOWS\Control.exe
Clean

C:\WINDOWS\Music.MP3
Clean

C:\WINDOWS\FlashPlayer.exe
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)=>GetFlash.man
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)=>swflash.inf
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)=>Flash.ocx
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)=>GetFlash.exe
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)=>ADVPACK.DLL
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)=>W95INF32.DLL
Clean

C:\WINDOWS\FlashPlayer.exe=>(CAB Sfx r)=>W95INF16.DLL
Clean

C:\WINDOWS\ARMIN.ICO
Clean

C:\WINDOWS\CDROM.ICO
Clean

C:\WINDOWS\48.ico
Clean

C:\WINDOWS\FARSI.ICO
Clean

C:\WINDOWS\MFC40.DLL
Clean

C:\WINDOWS\MPJFILE.ICO
Clean

C:\WINDOWS\SETA.tmp
Clean

C:\WINDOWS\MSVCRT40.DLL
Clean

C:\WINDOWS\Mrtm.ico
Clean

C:\WINDOWS\PLY.ICO
Clean

C:\WINDOWS\RICHED32.DLL
Clean

C:\WINDOWS\Project1.ico
Clean

C:\WINDOWS\Fish3264.vmf
Clean

C:\WINDOWS\TALKIT.ICO
Clean

C:\WINDOWS\_1Aqua2.scr
Clean

C:\System Volume Information\_restore{58A776F2-EE67-47F4-AF58-107FF9E3ACCD}\RP78\A0048312.dll
Infected with: Generic.Malware.SIMDWYNVdprn.5487BF69

C:\System Volume Information\_restore{58A776F2-EE67-47F4-AF58-107FF9E3ACCD}\RP78\A0048312.dll
Disinfection failed

C:\System Volume Information\_restore{58A776F2-EE67-47F4-AF58-107FF9E3ACCD}\RP78\A0048312.dll
Deleted

C:\$VAULT$.AVG\02923103.FIL
Infected with: Trojan.JS.Downloader.ABN

C:\$VAULT$.AVG\02923103.FIL
Disinfection failed

C:\$VAULT$.AVG\02923103.FIL
Deleted

C:\$VAULT$.AVG\04518737.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04518737.FIL
Disinfection failed

C:\$VAULT$.AVG\04518737.FIL
Deleted

C:\$VAULT$.AVG\00453642.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\00453642.FIL
Disinfection failed

C:\$VAULT$.AVG\00453642.FIL
Deleted

C:\$VAULT$.AVG\00110458.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\00110458.FIL
Disinfection failed

C:\$VAULT$.AVG\00110458.FIL
Deleted

C:\$VAULT$.AVG\00687388.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\00687388.FIL
Disinfection failed

C:\$VAULT$.AVG\00687388.FIL
Deleted

C:\$VAULT$.AVG\01351743.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\01351743.FIL
Disinfection failed

C:\$VAULT$.AVG\01351743.FIL
Deleted

C:\$VAULT$.AVG\01968370.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\01968370.FIL
Disinfection failed

C:\$VAULT$.AVG\01968370.FIL
Deleted

C:\$VAULT$.AVG\04711224.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711224.FIL
Disinfection failed

C:\$VAULT$.AVG\04711224.FIL
Deleted

C:\$VAULT$.AVG\04711394.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711394.FIL
Disinfection failed

C:\$VAULT$.AVG\04711394.FIL
Deleted

C:\$VAULT$.AVG\04711444.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711444.FIL
Disinfection failed

C:\$VAULT$.AVG\04711444.FIL
Deleted

C:\$VAULT$.AVG\04711504.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711504.FIL
Disinfection failed

C:\$VAULT$.AVG\04711504.FIL
Deleted

C:\$VAULT$.AVG\04711534.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711534.FIL
Disinfection failed

C:\$VAULT$.AVG\04711534.FIL
Deleted

C:\$VAULT$.AVG\04711584.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711584.FIL
Disinfection failed

C:\$VAULT$.AVG\04711584.FIL
Deleted

C:\$VAULT$.AVG\04711624.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711624.FIL
Disinfection failed

C:\$VAULT$.AVG\04711624.FIL
Deleted

C:\$VAULT$.AVG\04711665.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711665.FIL
Disinfection failed

C:\$VAULT$.AVG\04711665.FIL
Deleted

C:\$VAULT$.AVG\04711715.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711715.FIL
Disinfection failed

C:\$VAULT$.AVG\04711715.FIL
Deleted

C:\$VAULT$.AVG\04711755.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711755.FIL
Disinfection failed

C:\$VAULT$.AVG\04711755.FIL
Deleted

C:\$VAULT$.AVG\04711795.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711795.FIL
Disinfection failed

C:\$VAULT$.AVG\04711795.FIL
Deleted

C:\$VAULT$.AVG\04711855.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711855.FIL
Disinfection failed

C:\$VAULT$.AVG\04711855.FIL
Deleted

C:\$VAULT$.AVG\04711905.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711905.FIL
Disinfection failed

C:\$VAULT$.AVG\04711905.FIL
Deleted

C:\$VAULT$.AVG\04711965.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04711965.FIL
Disinfection failed

C:\$VAULT$.AVG\04711965.FIL
Deleted

C:\$VAULT$.AVG\04712015.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04712015.FIL
Disinfection failed

C:\$VAULT$.AVG\04712015.FIL
Deleted

C:\$VAULT$.AVG\04712085.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04712085.FIL
Disinfection failed

C:\$VAULT$.AVG\04712085.FIL
Deleted

C:\$VAULT$.AVG\04712155.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04712155.FIL
Disinfection failed

C:\$VAULT$.AVG\04712155.FIL
Deleted

C:\$VAULT$.AVG\04712205.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04712205.FIL
Disinfection failed

C:\$VAULT$.AVG\04712205.FIL
Deleted

C:\$VAULT$.AVG\04712476.FIL
Infected with: Trojan.Spy.Small.D

C:\$VAULT$.AVG\04712476.FIL
Disinfection failed

C:\$VAULT$.AVG\04712476.FIL
Deleted




Please let me know if it's ok, and what was the problem.

Thanks again

Alessandro

#9 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 20 March 2007 - 05:17 AM

Ahem,
at a second glance perhaps it's still working not perfectly, though far better than before.

Alessandro

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 20 March 2007 - 07:17 AM

Download 'e Scan MWAV' from here to your desktop:
http://www.mwti.net/download/tools/mwav.exe
Disconnect from the internet.
Double click on the mwav icon on your desktop.
The program will start,the Licence Agreement will pop up.
Select 'I accept the agreement',then press Ok.
The program will open,leave all the settings as they are.
Now press the 'Scan & Clean' button.
The program will now start scanning your pc.
Once the scan has finished exit MWAV.

*********************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#11 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 23 March 2007 - 06:29 AM

Hi,
I did all you told me, but the system is still working badly, even worse than before :thumbsup: .

Here are the reqested logs:





SUPERAntiSpyware Scan Log
Generated 03/23/2007 at 12:01 PM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 02:51:40

Memory items scanned : 350
Memory threats detected : 0
Registry items scanned : 3975
Registry threats detected : 5
File items scanned : 27800
File threats detected : 14

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{f250d521-225d-4d6b-8829-e064f944e180}
HKCR\CLSID\{F250D521-225D-4D6B-8829-E064F944E180}
HKCR\CLSID\{F250D521-225D-4D6B-8829-E064F944E180}\InprocServer32
C:\WINDOWS\SYSTEM32\RDAA.DLL
HKCR\CLSID\{F250D521-225D-4D6B-8829-E064F944E180}

Adware.Tracking Cookie
C:\Documents and Settings\Oveis\Cookies\oveis@atdmt[1].txt
C:\Documents and Settings\Oveis\Cookies\oveis@bs.serving-sys[1].txt
C:\Documents and Settings\Oveis\Cookies\oveis@serving-sys[1].txt
C:\Documents and Settings\Oveis\Cookies\oveis@statcounter[1].txt
C:\Documents and Settings\Oveis\Cookies\oveis@statse.webtrendslive[1].txt
C:\Documents and Settings\Oveis\Cookies\oveis@cgi-bin[2].txt
C:\Documents and Settings\Oveis\Cookies\oveis@cgi-bin[1].txt
C:\Documents and Settings\Oveis\Cookies\oveis@doubleclick[1].txt
D:\Documents and Settings\wat\Cookies\wat@ads.cdfreaks[1].txt
D:\Documents and Settings\wat\Cookies\wat@media.intelia[1].txt
D:\Documents and Settings\wat\Cookies\wat@apmebf[1].txt
D:\Documents and Settings\wat\Cookies\wat@m1.webstats4u[1].txt
D:\Documents and Settings\wat\Cookies\wat@webstats4u[2].txt

Browser Hijacker.Glotka
HKU\S-1-5-21-1935655697-113007714-839522115-1003\Software\fid




Logfile of HijackThis v1.99.1
Scan saved at 12:22:52 ب.ظ, on 2007/03/23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Oveis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p USB -pn "hp LaserJet 1010 Series Driver" -n 0 -l -sl 120000
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887377994
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171887357905
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 26 March 2007 - 02:28 AM

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

******************************

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#13 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 26 March 2007 - 07:36 AM

Hi, thanks again.

I did it, but the PC is still running badly.
here are the two reports:



Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 2007/03/26 at 09:50:49 ق.ظ
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Office Document Image Writer
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Office Document Image Writer
Hidden: file D:\Documents and Settings\All Users\Application Data\Symantec\Norton Internet Security\CATS.DAT
Stopped logging on 2007/03/26 at 09:58:48



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 26, 2007 2:31:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 26/03/2007
Kaspersky Anti-Virus database records: 269625
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 41764
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:31:00

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\jar_cache44887.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF9EB6.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DFCDAE.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~WRS0001.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~WRF0002.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF753B.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF9856.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF63C8.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF313A.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF7C16.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF7C2A.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temp\~DF8AD4.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\History\History.IE5\MSHist012007032620070327\index.dat Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Oveis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Oveis\Desktop\oveis\Backup desktop\Corano\latin e kamel.doc Object is locked skipped
C:\Documents and Settings\Oveis\Desktop\quran english.doc Object is locked skipped
C:\Documents and Settings\Oveis\Desktop\~WRL3619.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Desktop\~WRL1025.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Desktop\~WRL3830.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Desktop\~WRL0267.tmp Object is locked skipped
C:\Documents and Settings\Oveis\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Oveis\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Oveis\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped
C:\Documents and Settings\Oveis\Application Data\Microsoft\Word\AutoRecovery save of quran english.asd Object is locked skipped
C:\Documents and Settings\Oveis\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Oveis\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{58A776F2-EE67-47F4-AF58-107FF9E3ACCD}\RP98\change.log Object is locked skipped

Scan process completed.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 26 March 2007 - 09:13 AM

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

***********************

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

***********************

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next,please reboot your computer into SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears,press F8 continuously.
3. Instead of Windows loading as normal,a menu should appear.
4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder,then double click the RunThis.bat file to start the tool.
Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Please post that log in your next reply.

***********************

Download chercher.zip by Malekal_morte to your Desktop:
http://www.malekal.com/download/telecharger.com/chercher.zip

* Right click with your mouse onto the 'chercher.zip', unzip all.
* You will get a new folder.
* Open this folder and Double-Click onto 'chercher.cmd'
* A DOS Window opens, let it open and wait until it asks you to press any key.
* Notepad will open with a long report.

Copy this report and paste it to your next reply.
Posted Image
Posted Image

#15 alessandrocancian

alessandrocancian
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 March 2007 - 02:19 AM

Thanks, done, but dodn't notice significant progress.
Here are the logs:


smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Tue 03/27/2007
The current time is: 8:56:08.17

Running from
C:\Documents and Settings\Oveis\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 692 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


C:\WINDOWS\System32\wpa.dbl -->2007/03/26 08:01:32 ق.ظ
C:\WINDOWS\System32\FNTCACHE.DAT -->2007/03/26 08:01:20 ق.ظ
C:\WINDOWS\System32\spupdsvc.inf -->2007/03/23 11:44:20 ق.ظ
C:\WINDOWS\System32\CMMGR32.EXE -->2007/03/20 03:07:52 ب.ظ
C:\WINDOWS\System32\MRT.exe -->2007/03/07 09:36:32 ب.ظ
C:\WINDOWS\System32\zhp1020.log -->2007/02/19 01:33:16 ب.ظ
C:\WINDOWS\System32\jupdate-1.5.0_09-b03.log -->2006/12/22 08:17:14 ق.ظ
C:\WINDOWS\System32\jupdate-1.5.0_06-b05.log -->2006/10/18 09:51:32 ق.ظ
C:\WINDOWS\System32\pdf2word.DAT -->2006/10/13 01:42:28 ب.ظ
C:\WINDOWS\System32\PDF2TXT.DAT -->2006/10/13 01:41:38 ب.ظ
C:\WINDOWS\System32\javaws.exe -->2006/10/12 03:10:56 ق.ظ
C:\WINDOWS\System32\jpicpl32.cpl -->2006/10/12 03:10:54 ق.ظ
C:\WINDOWS\System32\javaw.exe -->2006/10/12 01:35:24 ق.ظ
C:\WINDOWS\System32\java.exe -->2006/10/12 01:35:14 ق.ظ
C:\WINDOWS\System32\msvcp71.dll -->2006/09/28 03:51:40 ب.ظ
C:\WINDOWS\System32\msvcr71.dll -->2006/09/28 03:51:40 ب.ظ
C:\WINDOWS\System32\1stscrhook.dll -->2006/09/26 12:05:24 ب.ظ
C:\WINDOWS\System32\PerfStringBackup.TMP -->2006/09/26 11:30:34 ق.ظ
C:\WINDOWS\System32\perfh009.dat -->2006/09/26 11:30:34 ق.ظ
C:\WINDOWS\System32\perfc009.dat -->2006/09/26 11:30:34 ق.ظ
C:\WINDOWS\System32\wmpscheme.xml -->2006/09/26 11:27:36 ق.ظ
C:\WINDOWS\System32\$winnt$.inf -->2006/09/26 11:23:24 ق.ظ
C:\WINDOWS\System32\CONFIG.NT -->2006/09/26 11:16:46 ق.ظ
C:\WINDOWS\System32\WindowsLogon.manifest -->2006/09/26 11:14:18 ق.ظ
C:\WINDOWS\System32\logonui.exe.manifest -->2006/09/26 11:14:18 ق.ظ

C:\WINDOWS\wiadebug.log -->2007/03/27 09:00:56 ق.ظ
C:\WINDOWS\0.log -->2007/03/27 08:59:54 ق.ظ
C:\WINDOWS\bootstat.dat -->2007/03/27 08:58:42 ق.ظ
C:\WINDOWS\ntbtlog.txt -->2007/03/27 08:58:00 ق.ظ
C:\WINDOWS\setupact.log -->2007/03/27 08:57:20 ق.ظ
C:\WINDOWS\WindowsUpdate.log -->2007/03/27 08:54:26 ق.ظ
C:\WINDOWS\SchedLgU.Txt -->2007/03/27 08:54:20 ق.ظ
C:\WINDOWS\wiaservc.log -->2007/03/27 08:54:06 ق.ظ
C:\WINDOWS\setupapi.log -->2007/03/26 10:11:30 ق.ظ
C:\WINDOWS\KB899587.log -->2007/03/23 12:38:08 ب.ظ
C:\WINDOWS\KB924191.log -->2007/03/23 12:37:58 ب.ظ
C:\WINDOWS\KB922819.log -->2007/03/23 12:37:46 ب.ظ
C:\WINDOWS\KB885835.log -->2007/03/23 12:36:56 ب.ظ
C:\WINDOWS\KB885836.log -->2007/03/23 12:36:12 ب.ظ
C:\WINDOWS\KB923414.log -->2007/03/23 12:36:06 ب.ظ

C:\WINDOWS\twunk_16.exe |Twain Working Group |11/10/2001 13:30:00
C:\WINDOWS\twunk_32.exe |Twain Working Group |11/10/2001 13:30:00
C:\WINDOWS\ARMIN.EXE |ArminSHS |26/09/2006 11:29:48
C:\WINDOWS\Control.exe |www.Win2Farsi.com |26/09/2006 11:29:47
C:\WINDOWS\CleanReg.EXE |www.Win2farsi.com |26/09/2006 11:29:45
C:\WINDOWS\About.EXE |COMPANY |26/09/2006 11:29:46
C:\WINDOWS\VCDMP3.EXE |win2Farsi |26/09/2006 11:29:46
C:\WINDOWS\NCUNINST.EXE |Northern Codeworks |19/02/2007 12:59:19
C:\WINDOWS\apptune1020.exe |Zenographics |19/02/2007 13:33:14
C:\WINDOWS\AR_ActiveDesktop.exe |COMPANY |26/09/2006 11:29:56
C:\WINDOWS\AR_ConfigSet.exe |COMPANY |26/09/2006 11:29:56
C:\WINDOWS\bdoscandel.exe |COMPANY |25/05/2006 01:22:06
C:\WINDOWS\logo1_.exe |COMPANY |20/03/2007 13:58:12
C:\WINDOWS\zts2.exe |COMPANY |20/03/2007 13:58:12
C:\WINDOWS\rundll16.exe |COMPANY |20/03/2007 13:58:12
C:\WINDOWS\twain.dll |Twain Working Group |11/10/2001 13:30:00
C:\WINDOWS\twain_32.dll |Twain Working Group |11/10/2001 13:30:00
C:\WINDOWS\snverifydll.dll |COMPANY |26/09/2006 11:29:57
C:\WINDOWS\rundl132.dll |COMPANY |20/03/2007 13:58:12
C:\WINDOWS\system32\append.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\debug.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\dosx.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\dvdplay.exe |COMPANY |17/08/2001 22:36:42
C:\WINDOWS\system32\edlin.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\exe2bin.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\fastopen.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\mem.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\mscdexnt.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\nlsfunc.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\nw16.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\setver.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\share.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\vwipxspx.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\usrmlnka.exe |U.S. Robotics Corporation |17/08/2001 22:37:00
C:\WINDOWS\system32\usrprbda.exe |U.S. Robotics Corporation |17/08/2001 22:37:00
C:\WINDOWS\system32\usrshuta.exe |U.S. Robotics Corporation |17/08/2001 22:37:00
C:\WINDOWS\system32\osk.exe |www.Win2farsi.com |11/10/2001 13:30:00
C:\WINDOWS\system32\redir.exe |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\java.exe |Sun Microsystems, Inc. |22/12/2006 08:17:19
C:\WINDOWS\system32\javaw.exe |Sun Microsystems, Inc. |22/12/2006 08:17:19
C:\WINDOWS\system32\javaws.exe |Sun Microsystems, Inc. |22/12/2006 08:17:19
C:\WINDOWS\system32\zshp1020.exe |COMPANY |19/02/2007 13:33:08
C:\WINDOWS\system32\hpzinw12.exe |HP |01/08/2002 10:16:22
C:\WINDOWS\system32\hpzipm12.exe |HP |01/08/2002 10:22:40
C:\WINDOWS\system32\HPBOID.EXE |Hewlett-Packard Company |04/09/2002 07:12:46
C:\WINDOWS\system32\HPBPRO.EXE |Hewlett-Packard Company |30/04/2002 17:47:34
C:\WINDOWS\system32\CMMGR32.EXE |COMPANY |20/03/2007 15:07:51
C:\WINDOWS\system32\devenum.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\atmfd.dll |Adobe Systems Incorporated |11/10/2001 13:30:00
C:\WINDOWS\system32\atmlib.dll |Adobe Systems |11/10/2001 13:30:00
C:\WINDOWS\system32\amstream.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\mciqtz32.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\qcap.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\qdv.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\qdvd.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\quartz.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\msdmo.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\qasf.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\qedit.dll |COMPANY |26/09/2006 11:38:30
C:\WINDOWS\system32\iccvid.dll |Radius Inc. |11/10/2001 13:30:00
C:\WINDOWS\system32\ir32_32.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\jgaw400.dll |Johnson-Grace Company |11/10/2001 13:30:00
C:\WINDOWS\system32\jgdw400.dll |America Online |11/10/2001 13:30:00
C:\WINDOWS\system32\jgmd400.dll |Johnson-Grace Company |11/10/2001 13:30:00
C:\WINDOWS\system32\jgpl400.dll |Johnson-Grace Company |11/10/2001 13:30:00
C:\WINDOWS\system32\jgsd400.dll |America Online |11/10/2001 13:30:00
C:\WINDOWS\system32\jgsh400.dll |Johnson-Grace Company |11/10/2001 13:30:00
C:\WINDOWS\system32\qedwipes.dll |COMPANY |26/09/2006 11:38:31
C:\WINDOWS\system32\mdwmdmsp.dll |RioPort |17/08/2001 22:36:20
C:\WINDOWS\system32\msencode.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\scriptpw.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\slbcsp.dll |Schlumberger Technology Corporation |11/10/2001 13:30:00
C:\WINDOWS\system32\slbiop.dll |Schlumberger Technology Corporation |11/10/2001 13:30:00
C:\WINDOWS\system32\slbrccsp.dll |Schlumberger Technology Corporation |11/10/2001 13:30:00
C:\WINDOWS\system32\spnike.dll |S3/Diamond Multimedia |17/08/2001 22:36:32
C:\WINDOWS\system32\sprio600.dll |S3/Diamond Multimedia |17/08/2001 22:36:32
C:\WINDOWS\system32\sprio800.dll |S3/Diamond Multimedia |17/08/2001 22:36:32
C:\WINDOWS\system32\tsd32.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\win87em.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\paqsp.dll |COMPANY |17/08/2001 22:36:28
C:\WINDOWS\system32\usrcntra.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrcoina.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrdpa.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrdtea.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrfaxa.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrlbva.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrrtosa.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrsdpia.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrsvpia.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrv42a.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrv80a.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrvoica.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\usrvpa.dll |U.S. Robotics Corporation |17/08/2001 22:36:34
C:\WINDOWS\system32\dxmasf.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\compatUI.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\psisdecd.dll |COMPANY |26/09/2006 11:38:32
C:\WINDOWS\system32\encdec.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\msdxmlc.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\1stscrhook.dll |COMPANY |26/09/2006 12:05:23
C:\WINDOWS\system32\sbe.dll |COMPANY |11/10/2001 13:30:00
C:\WINDOWS\system32\vcmgcd32.dll |COMPANY |20/03/2007 13:58:12
C:\WINDOWS\system32\EqnClass.Dll |Equinox Systems Inc. |25/09/2006 10:51:52
C:\WINDOWS\system32\spxcoins.dll |Perle Systems Ltd. |25/09/2006 10:51:52
C:\WINDOWS\system32\dgsetup.dll |Digi International |25/09/2006 10:51:53
C:\WINDOWS\system32\dgrpsetu.dll |Digi International, Inc. |25/09/2006 10:51:53
C:\WINDOWS\system32\iifgfgf.dll |COMPANY |20/03/2007 13:58:12
C:\WINDOWS\system32\i81xdnt5.dll |Intel Corporation |25/09/2006 10:53:46
C:\WINDOWS\system32\IMF32.DLL |Zenographics, Inc. |04/12/2002 20:54:34
C:\WINDOWS\system32\hpzidr12.dll |HP |09/10/2002 11:42:42
C:\WINDOWS\system32\hppadt40.dll |HP |14/08/2002 13:34:50
C:\WINDOWS\system32\ZSPOOL.DLL |Zenographics, Inc. |09/07/2001 22:40:30
C:\WINDOWS\system32\ZTAG32.DLL |Zenographics, Inc. |10/12/2002 18:17:02
C:\WINDOWS\system32\HPBMMON.DLL |Hewlett-Packard |19/08/2002 23:50:30
C:\WINDOWS\system32\hticons.dll |Hilgraeve, Inc. |26/09/2006 11:10:06
C:\WINDOWS\system32\HPDOMON.DLL |Hewlett-Packard |23/03/2000 13:25:16
C:\WINDOWS\system32\HPBHEALR.DLL |COMPANY |31/07/2001 11:17:12
C:\WINDOWS\system32\vshp1020.dll |COMPANY |19/02/2007 13:33:08
C:\WINDOWS\system32\zlm.dll |Zenographics, Inc. |19/02/2007 13:33:09
C:\WINDOWS\system32\hppamon0.dll |HP |14/08/2002 13:34:58
C:\WINDOWS\system32\hppapml0.dll |HP |14/08/2002 13:34:52
C:\WINDOWS\system32\hppapts0.dll |HP |14/08/2002 13:34:54
C:\WINDOWS\system32\hppasnm0.dll |HP |14/08/2002 13:34:58
C:\WINDOWS\system32\hpzipr12.dll |HP |09/10/2002 11:41:22
C:\WINDOWS\system32\hpzipt12.dll |HP |01/08/2002 10:17:42
C:\WINDOWS\system32\isrdbg32.dll |Intel Corporation |26/09/2006 11:12:49
C:\WINDOWS\system32\hpzisn12.dll |HP |01/08/2002 10:17:46
C:\WINDOWS\system32\HPJCMN2U.DLL |Hewlett-Packard |06/06/2000 18:27:08
C:\WINDOWS\system32\HPJIPX1U.DLL |Hewlett-Packard |06/06/2000 18:27:08
C:\WINDOWS\system32\hpbmiapi.dll |Hewlett-Packard |30/04/2002 17:41:54
C:\WINDOWS\system32\ZLhp1020.dll |Zenographics, Inc. |19/02/2007 13:33:09
C:\WINDOWS\system32\hpboidps.dll |Hewlett-Packard Company |30/04/2002 17:46:20
C:\WINDOWS\system32\hpbprops.dll |Hewlett-Packard Company |30/04/2002 17:47:36
C:\WINDOWS\system32\HPBNRAC2.DLL |Hewlett-Packard |30/04/2002 17:43:06
C:\WINDOWS\system32\d4channel.dll |Hewlett-Packard |16/10/2002 23:49:08
C:\WINDOWS\system32\hpbmmjno.dll |Hewlett-Packard |03/09/2002 10:58:50
C:\WINDOWS\system32\ltkrn13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:16
C:\WINDOWS\system32\SD32.DLL |Zenographics, Inc. |13/01/2003 11:02:46
C:\WINDOWS\system32\ZGDI32.DLL |Zenographics, Inc. |09/07/2002 13:57:28
C:\WINDOWS\system32\ltfil13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:16
C:\WINDOWS\system32\ltdis13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:16
C:\WINDOWS\system32\ltimg13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:16
C:\WINDOWS\system32\lfbmp13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:16
C:\WINDOWS\system32\lfcmp13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:16
C:\WINDOWS\system32\ltefx13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:16
C:\WINDOWS\system32\lfgif13n.dll |LEAD Technologies, Inc. |20/02/2007 14:58:17
C:\WINDOWS\system32\hypertrm.dll |Hilgraeve, Inc. |17/11/2004 18:57:01

Volume in drive C has no label.
Volume Serial Number is F8D8-EF1D

Directory of C:\WINDOWS\system32

10/11/2001 01:30 PM 4,096 csrss.exe
1 File(s) 4,096 bytes
0 Dir(s) 3,873,390,592 bytes free

Contenu de Downloaded Program Files
Volume in drive C has no label.
Volume Serial Number is F8D8-EF1D

Directory of C:\WINDOWS\Downloaded Program Files

09/26/2006 11:14 AM <DIR> .
09/26/2006 11:14 AM <DIR> ..
09/26/2006 11:14 AM 65 desktop.ini
10/14/1997 06:52 PM 697 DirectAnimation Java Classes.osd
06/22/2006 11:41 AM 5,032 swflash.inf
08/11/2004 02:22 AM 3,036 wmv9dmo.inf
11/18/2004 10:49 AM 77,824 sdd.dll
05/26/2005 04:19 AM 293 muweb.inf
05/26/2005 04:19 AM 291 wuweb.inf
09/22/2004 03:59 PM 110,592 PURen-us.dll
10/08/2004 04:01 PM 372,736 MsnPUpld.dll
10/08/2004 04:13 PM 587 MSNPupld.inf
10/15/2004 08:01 AM 110,592 PURit-xx.dll
01/20/2000 03:25 PM 1,162 Microsoft XML Parser for Java.osd
06/25/2003 07:00 PM 541 ca.pub
01/17/2006 05:11 PM 580,663 daas_s.dll
02/03/2006 11:20 AM 188,416 fsauc.dll
06/16/2006 03:31 PM 181,856 fscax.dll
06/15/2006 10:19 AM 483 fscax.inf
05/31/2006 04:15 AM 10 oscan81.ocx_x
02/18/2005 04:22 PM 126 live.ini
03/09/2005 03:43 PM 6,828 scanoptions.tsi
03/09/2005 03:42 PM 6,742 lang.ini
03/01/2005 02:08 PM 53,248 ipsupd.dll
03/01/2005 02:08 PM 118,784 bdupd.dll
12/07/2004 04:07 PM 32 libfn.dll
12/07/2004 04:07 PM 32 bdcore.dll
06/01/2006 02:54 AM 471,040 oscan8.ocx
06/01/2006 02:57 AM 1,331 oscan8.inf
01/07/2007 11:55 AM 2,305 kavwebscan.inf
28 File(s) 2,295,344 bytes

Total Files Listed:
28 File(s) 2,295,344 bytes
2 Dir(s) 3,873,390,592 bytes free

Volume in drive C has no label.
Volume Serial Number is F8D8-EF1D

Directory of C:\Program Files

09/25/2006 10:52 AM <DIR> .
09/25/2006 10:52 AM <DIR> ..
09/25/2006 10:52 AM <DIR> Common Files
09/26/2006 11:09 AM <DIR> Windows NT
09/26/2006 11:09 AM <DIR> MSN
09/26/2006 11:10 AM <DIR> MSN Gaming Zone
09/26/2006 11:10 AM <DIR> Messenger
09/26/2006 11:10 AM <DIR> Windows Media Player
09/26/2006 11:10 AM <DIR> Online Services
09/26/2006 11:10 AM <DIR> ComPlus Applications
09/26/2006 11:12 AM <DIR> Internet Explorer
09/26/2006 11:12 AM <DIR> Outlook Express
09/26/2006 11:12 AM <DIR> NetMeeting
09/26/2006 11:12 AM <DIR> Movie Maker
09/26/2006 11:17 AM <DIR> microsoft frontpage
09/26/2006 11:17 AM <DIR> xerox
09/28/2006 03:51 PM <DIR> Grisoft
09/26/2006 11:29 AM <DIR> MyApp
09/26/2006 11:49 AM <DIR> Kaspersky Lab
09/26/2006 12:14 PM <DIR> WinRAR
09/26/2006 12:22 PM <DIR> Microsoft Office
09/26/2006 12:23 PM <DIR> Microsoft ActiveSync
09/26/2006 12:37 PM <DIR> Adobe
09/29/2006 07:16 PM <DIR> Yahoo!
10/02/2006 08:10 AM <DIR> ATnotes
10/13/2006 01:41 PM <DIR> PDF2TXT v3.0
10/13/2006 01:41 PM <DIR> PDF2Word v1.4
10/18/2006 09:47 AM <DIR> Java
10/10/2006 12:19 PM <DIR> Investintech.com Inc
10/18/2006 09:52 AM <DIR> Google
02/19/2007 01:33 PM <DIR> Hewlett-Packard
02/19/2007 03:17 PM <DIR> True Sword 4
03/15/2007 10:25 AM <DIR> HijackThis
03/26/2007 09:15 AM <DIR> Lavasoft
03/27/2007 08:14 AM <DIR> CleanUp!
0 File(s) 0 bytes
35 Dir(s) 3,873,128,448 bytes free
c:\Documents and Settings\Oveis\Desktop\CleanUp451.exe
c:\Documents and Settings\Oveis\Desktop\HijackThis.exe
c:\Documents and Settings\Oveis\Desktop\smitRem.exe
c:\Documents and Settings\Oveis\Desktop\oveis\Backup desktop\file utili Desktop\words\197fwin.exe
c:\Documents and Settings\Oveis\Desktop\oveis\Backup desktop\file utili Desktop\words\MEANINGS.EXE
c:\Documents and Settings\Oveis\Desktop\oveis\Backup desktop\file utili Desktop\words\WORDS.EXE
c:\Documents and Settings\Oveis\Desktop\chercher\FilesInfoCmd.exe
c:\Documents and Settings\Oveis\Desktop\chercher\LFiles.exe
c:\Documents and Settings\Oveis\Desktop\smitRem\dumphive.exe
c:\Documents and Settings\Oveis\Desktop\smitRem\getsts.exe
c:\Documents and Settings\Oveis\Desktop\smitRem\Process.exe
c:\Documents and Settings\Oveis\Desktop\smitRem\pv.exe
c:\Documents and Settings\Oveis\Desktop\smitRem\swreg.exe
c:\Documents and Settings\Oveis\Desktop\Anti viruses\avgas-setup-7.5.0.50.exe
c:\Documents and Settings\Oveis\Desktop\Anti viruses\ComboFix.exe
c:\Documents and Settings\Oveis\Desktop\Anti viruses\mwav.exe
c:\Documents and Settings\Oveis\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_en_US.exe
c:\Documents and Settings\All Users\Application Data\Kaspersky Lab\Kaspersky Online Scanner\bases\avcmhk4.dll

Vérifications de quelques clefs
Recherche de clefs EGDACCESS

HKLM\SOFTWARE\Microsoft\Windows\explorer\SharedTaskScheduler




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users