|
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
hi, i'm on my bórothers pc, hés being havung problems with some trojan horses that avg keeps finding but cannot get rid of, the problem probably came from msn, as soon as he opens msn an instant message is sent to all his contacts saying that there fotos are on a website ecc. and then the pc freezes or reboots. here is the hjt log, please someone take a look.
Logfile of HijackThis v1.99.1
Scan saved at 18.09.20, on 10/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\whsyst32.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\xp_0233.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\services.exe
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\services.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSNCleaner] C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\Rar$EX00.266\MSNCleaner.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Programmi\CarbonPoker\Poker.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
Please download ComboFix from either of these two locations
BleepingComputerComboFix
geeks to go combofix
* Double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Post back with the log from ComboFix and a new HJT log please.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
 
A computer once beat me at chess, but it was no match for me at kick boxing. 
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
ok here is my combofix log:
ComboFix 08-03-10.1 - gianmaria 2008-03-11 12.21.12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.224 [GMT 1:00]
Eseguito da: F:\file di installazione\ComboFix.exe
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section non completata
((((((((((((((((((((((((( Files Creati Da 2008-02-11 al 2008-03-11 )))))))))))))))))))))))))))))))))))
.
2008-03-06 12:38 . 2008-03-06 12:38 10,240 --a------ C:\Documents and Settings\gianmaria\bawyew.exe
2008-03-05 18:05 . 2008-03-05 18:05 10,240 --a------ C:\Documents and Settings\gianmaria\ceuayw.exe
2008-03-05 15:19 . 2008-03-05 15:20 150 --a------ C:\WINDOWS\system32\DelReboot
2008-03-05 14:52 . 2008-03-05 14:50 10,240 --a------ C:\WINDOWS\whsyst32.exe
2008-03-05 12:25 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-03-05 12:23 . 2008-03-05 12:23 <DIR> d-------- C:\Programmi\Microsoft SQL Server Compact Edition
2008-03-05 12:14 . 2008-03-05 12:18 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2008-02-24 11:08 . 2008-03-05 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 11:13 --------- d-----w C:\Documents and Settings\gianmaria\Dati applicazioni\AVG7
2008-03-10 17:09 --------- d-----w C:\Programmi\hjt
2008-03-05 11:39 --------- d-----w C:\Programmi\Windows Live
2008-03-05 11:07 --------- d-----w C:\Programmi\MSN Messenger
2008-03-05 11:03 --------- d-----w C:\Programmi\AC3Filter
2008-03-03 19:58 --------- d-----w C:\Programmi\eMule
2008-02-05 16:55 --------- d-----w C:\Documents and Settings\gianmaria\Dati applicazioni\Skype
2008-01-16 17:06 --------- d-----w C:\Programmi\Winamp
2006-06-14 10:53 29,184 ----a-w C:\WINDOWS\inf\usbccid.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MSNCleaner"="C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\Rar$EX00.266\MSNCleaner.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:59 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"!AVG Anti-Spyware"="C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-02 12:04 6731312]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Flash Media"="C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\services.exe" [2008-03-04 13:38 64156]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:39 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 10:25 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"5E39J1V19L"= C:\WINDOWS\whsyst32.exe
"update32"= C:\WINDOWS\lwsys32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:\\DOCUME~1\\GIANMA~1\\IMPOST~1\\Temp\\services.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
R3 AN983;Scheda ADMtek 10/100Mbps Fast Ethernet AN983/AN985/ADM951X;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4ccf9ba-9822-11dc-9ad5-00045a79c5c2}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infocamere\bkmlauncher.exe
\Shell\ICBK\command - H:\infocamere\bkmlauncher.exe
.
Contenuto della cartella 'Scheduled Tasks'
"2008-02-29 16:24:28 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Programmi\XoftSpy\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 12:21:55
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
? [1916]
? [1932]
? [1952]
? [1984]
? [2012]
? [208]
? [216]
? [2500]
? [3396]
? [2944]
? [248]
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-03-11 12.23.34
.
2008-03-05 12:44:50 --- E O F ---
and here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12.26.37, on 11/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\lwsys32.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\services.exe
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSNCleaner] C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\Rar$EX00.266\MSNCleaner.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Programmi\CarbonPoker\Poker.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Quote:
Killall::
File::
C:\Documents and Settings\gianmaria\bawyew.exe
C:\Documents and Settings\gianmaria\ceuayw.exe
C:\WINDOWS\whsyst32.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"update32"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
as soon as i dragged the the txt file over te combofix icon combofix started , once it finished it rebooted alone and createeed the tx t file here it is:
ComboFix 08-03-10.1 - gianmaria 2008-03-12 18:38:29.2 - NTFSx86
Eseguito da: C:\Documents and Settings\gianmaria\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gianmaria\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\gianmaria\bawyew.exe
C:\Documents and Settings\gianmaria\ceuayw.exe
C:\WINDOWS\whsyst32.exe
.
((((((((((((((((((((((((( Files Creati Da 2008-02-12 al 2008-03-12 )))))))))))))))))))))))))))))))))))
.
2008-03-05 15:19 . 2008-03-05 15:20 150 --a------ C:\WINDOWS\system32\DelReboot
2008-03-05 12:25 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-03-05 12:23 . 2008-03-05 12:23 <DIR> d-------- C:\Programmi\Microsoft SQL Server Compact Edition
2008-03-05 12:14 . 2008-03-05 12:18 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2008-02-24 11:08 . 2008-03-05 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 17:00 --------- d-----w C:\Documents and Settings\gianmaria\Dati applicazioni\AVG7
2008-03-11 11:26 --------- d-----w C:\Programmi\hjt
2008-03-05 11:39 --------- d-----w C:\Programmi\Windows Live
2008-03-05 11:07 --------- d-----w C:\Programmi\MSN Messenger
2008-03-05 11:03 --------- d-----w C:\Programmi\AC3Filter
2008-03-03 19:58 --------- d-----w C:\Programmi\eMule
2008-02-05 16:55 --------- d-----w C:\Documents and Settings\gianmaria\Dati applicazioni\Skype
2008-01-16 17:06 --------- d-----w C:\Programmi\Winamp
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:59 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"!AVG Anti-Spyware"="C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-02 12:04 6731312]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Flash Media"="C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\services.exe" [2008-03-04 13:38 64156]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:39 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 10:25 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"5E39J1V19L"= C:\WINDOWS\whsyst32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:\\DOCUME~1\\GIANMA~1\\IMPOST~1\\Temp\\services.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
R3 AN983;Scheda ADMtek 10/100Mbps Fast Ethernet AN983/AN985/ADM951X;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4ccf9ba-9822-11dc-9ad5-00045a79c5c2}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infocamere\bkmlauncher.exe
\Shell\ICBK\command - H:\infocamere\bkmlauncher.exe
.
Contenuto della cartella 'Scheduled Tasks'
"2008-02-29 16:24:28 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Programmi\XoftSpy\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 18:46:09
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
? [1232]
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
.
**************************************************************************
.
Ora fine scansione: 2008-03-12 18:48:30 - machine was rebooted [gianmaria]
ComboFix2.txt 2008-03-11 11:23:35
.
2008-03-05 12:44:50 --- E O F ---
here is my new hjt log, it seeme all the same to me:
Logfile of HijackThis v1.99.1
Scan saved at 18.54.28, on 12/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\GIANMA~1\IMPOST~1\Temp\services.exe
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Programmi\CarbonPoker\Poker.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
I need you to submit a file to check for malware.
Go to :-
http://virusscan.jotti.org/
Use the Browse button at the top to navigate to this file's location on your hard drive and submit it.
H:\infocamere\bkmlauncher.exe
copy and post the results back here.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
when i browse in jottti virusscan, i do not have h: i am not sure but infocamere should not be malware, it's a buisness key used to trasmit data to the camera di commercio(sorry but don't know how to translate that). however, when i turned on the pc today, i got a messagge sayiong that wqbfsc.exe hqad to be terminated. in addition, when avg runs, it immediately gives a services.exe reading error and now it found winsyn32.dll trojan
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
Quote:
t's a buisness key used to trasmit data to the camera di commercio
is this computer is used for your business.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
no this pc is not used for business, it's my brothers computer, the business key was used once because he has a 2.0 usb. the commercialist told me that the key did not work, so i tried on mine and it didi not work, then i tried on my brothers and it worked, therefore i came to the conclusion that it needed a 2.0 usb.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
here is the mbam log:
Malwarebytes' Anti-Malware 1.08
Versione del database: 490
Tipo di scansione: Scansione rapida
Elementi scansionati: 26234
Tempo trascorso: 13 minute(s), 54 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 1
Elementi dato del registro infetti: 1
Cartelle infette: 0
File infetti: 1
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flash Media (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Heuristic.Reserved.Word.Exploit) -> Data: c:\docume~1\gianma~1\impost~1\temp\services.exe -> Delete on reboot.
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\Documents and Settings\gianmaria\Impostazioni locali\Temp\services.exe (Heuristic.Reserved.Word.Exploit) -> Delete on reboot.
don't know if you needed it but here is the new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12.20.26, on 14/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\programmi\Malwarebytes' Anti-Malware\mbam.exe
C:\Programmi\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Programmi\CarbonPoker\Poker.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
how is it running now ?
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
pc seems to being going well, the problem wtih the services.exe does not appear anymore in avg. even msn seems to be working. yesterday though avg didi encounter another threat in system volume information, but today iti didi not. i empteied out the vault in avg which contained 14 entries. if something should happen, i will post again. thanks
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
DISABLE SYSTEM RESTORE
To flush out infected restore points.
Then restart your system restore.(same page).then create a new restore point :-
click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.
this is to ensure that if you have to do a system restore in the future that you don't get all the infections reinstalled again.
Then :-
Download and scan with CCleaner - Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
- Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Then select "Cookies"
Move any cookies you wish to retain, e.g. login cookies, in the left-hand window to the right-hand window by highlighting them and clicking the right arrow in the centre.
- Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.
In the Applications Tab:
• Clean all entries in the Mozilla Firefox Section.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.
- Click the "Run Cleaner" button.
- A pop up box will appear advising this process will permanently delete files from your system.
- Click "OK" and it will scan and clean your system.
- Click "exit" when done.
then DEFRAG your C:\ drive.
to help speed up your system.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
before running the ccleaner, avg found some other infections. trojan horse sheur in c_:windows\lwsys32 and 5 trojan hore generic 9 in c:\system volume information\_restore.... here is my hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12.08.36, on 17/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\Sitecom\IVT BlueSoleil\BlueSoleil.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Programmi\CarbonPoker\Poker.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\Sitecom\IVT BlueSoleil\BTNtService.exe
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28276
Loc: belfast
|
|
can you post a fresh combofix log.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
checcocalle
regular
Reg'd: Wed
Posts: 78
|
|
ComboFix 08-03-10.1 - gianmaria 2008-03-17 14.53.08.3 - NTFSx86
Eseguito da: F:\file di installazione\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Creati Da 2008-02-17 al 2008-03-17 )))))))))))))))))))))))))))))))))))
.
2008-03-15 11:17 . 2008-03-15 11:17 268 --ah----- C:\sqmdata10.sqm
2008-03-15 11:17 . 2008-03-15 11:17 244 --ah----- C:\sqmnoopt10.sqm
2008-03-14 13:42 . 2008-03-14 13:42 268 --ah----- C:\sqmdata09.sqm
2008-03-14 13:42 . 2008-03-14 13:42 244 --ah----- C:\sqmnoopt09.sqm
2008-03-14 12:12 . 2008-03-14 12:12 172 --ah----- C:\sqmnoopt08.sqm
2008-03-14 12:12 . 2008-03-14 12:12 172 --ah----- C:\sqmdata08.sqm
2008-03-14 11:56 . 2008-03-14 11:56 <DIR> d-------- C:\Documents and Settings\gianmaria\Dati applicazioni\Malwarebytes
2008-03-14 11:55 . 2008-03-14 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-03-14 11:41 . 2008-03-14 11:41 268 --ah----- C:\sqmdata07.sqm
2008-03-14 11:41 . 2008-03-14 11:41 244 --ah----- C:\sqmnoopt07.sqm
2008-03-13 20:15 . 2008-03-13 20:15 244 --ah----- C:\sqmnoopt06.sqm
2008-03-13 20:15 . 2008-03-13 20:15 232 --ah----- C:\sqmdata06.sqm
2008-03-13 11:25 . 2008-03-13 11:25 10,240 --a------ C:\Documents and Settings\gianmaria\wqbfsc.exe
2008-03-05 15:19 . 2008-03-05 15:20 150 --a------ C:\WINDOWS\system32\DelReboot
2008-03-05 12:25 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-03-05 12:23 . 2008-03-05 12:23 <DIR> d-------- C:\Programmi\Microsoft SQL Server Compact Edition
2008-03-05 12:14 . 2008-03-05 12:18 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2008-02-24 11:08 . 2008-03-05 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 11:08 --------- d-----w C:\Programmi\hjt
2008-03-17 10:57 --------- d-----w C:\Documents and Settings\gianmaria\Dati applicazioni\AVG7
2008-03-16 11:10 --------- d-----w C:\Programmi\eMule
2008-03-14 11:37 --------- d-----w C:\Programmi\Windows Live
2008-03-05 11:07 --------- d-----w C:\Programmi\MSN Messenger
2008-03-05 11:03 --------- d-----w C:\Programmi\AC3Filter
2008-02-05 16:55 --------- d-----w C:\Documents and Settings\gianmaria\Dati applicazioni\Skype
2006-06-14 10:53 29,184 ----a-w C:\WINDOWS\inf\usbccid.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:59 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"!AVG Anti-Spyware"="C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-02 12:04 6731312]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:39 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 10:25 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"5E39J1V19L"= C:\WINDOWS\whsyst32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
R3 AN983;Scheda ADMtek 10/100Mbps Fast Ethernet AN983/AN985/ADM951X;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4ccf9ba-98 |
Previous
Index
Next
Threaded
Edit
Reply
Quote
