hello there..

I have almost the same problem than http://forums.spybot.info/showthread.php?t=10152

basically both Spybot and Avast executables are deleted and prevented to created during the installation...


don't know if could have to do with that, but on startup this iexplore.exe error (crash) window always shows:

http://img180.imageshack.us/img180/484/erroriezv6.th.png (http://img180.imageshack.us/my.php?image=erroriezv6.png)

what should I do? please tell me if any log is needed... :spider:

Hi kiwidesign and welcome to the Forums :)

Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

here it is :)
thanks!


Logfile of HijackThis v1.99.1
Scan saved at 1.02.46, on 29/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Hide Folder 3.0\HF30Service.exe
C:\Programmi\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hldrrr.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Extensis\Suitcase 9.2\Suitcase.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Soulseek\slsk.exe
C:\Programmi\Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Programmi\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programmi\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Strumenti di SMART Board.lnk.disabled
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica selezionati da Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica sito web con Free Download Manager - file://C:\Programmi\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128453485248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128606071765
O17 - HKLM\System\CCS\Services\Tcpip\..\{A43E473A-3BFE-480A-BE7D-4014E4D45C72}: NameServer = 85.37.17.15 85.38.28.74
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ldr64 - ldr64.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: HF30Service - Unknown owner - C:\Programmi\Hide Folder 3.0\HF30Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Programmi\SMART Board Software\SMARTBoardService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe

Ok you're infected...

Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete)
Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here

:bigthumb:

poor little infected windows...


here 1st part of the report:

StartupList report, 29/01/2007, 14.36.32
StartupList version: 1.52.2
Started from : C:\Programmi\Tools\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Hide Folder 3.0\HF30Service.exe
C:\Programmi\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hldrrr.exe
C:\Programmi\Extensis\Suitcase 9.2\Suitcase.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Tools\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\LORENZO\Menu Avvio\Programmi\Esecuzione automatica]
Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica]
Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Strumenti di SMART Board.lnk.disabled
Suitcase Startup.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ATICCC = "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\Programmi\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Programmi\iTunes\iTunesHelper.exe"
SoundMan = SOUNDMAN.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

STYLEXP = C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*No subkeys found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

...2nd....


--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Editor del Registro di sistema'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
SMART Notebook Download Plugin - C:\Programmi\SMART Board Software\NotebookPlugin.dll - {67BCF957-85FC-4036-8DC4-D4D80E00A77B}
(no name) - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
TGTSoft Explorer Toolbar Changer - C:\Programmi\TGTSoft\StyleXP\TGT_BHO.dll - {C333CF63-767F-4831-94AC-E683D962C63C}
(no name) - C:\Programmi\Free Download Manager\iefdmcks.dll - {CC59E0F9-7E43-44FA-9FAA-8377850BF205}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128453485248

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128606071765

[Java Plug-in]
InProcServer32 = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

...and last part :bigthumb:


--------------------------------------------------

Enumerating Windows NT/2000/XP services

Driver ACPI Microsoft: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Eliminatore di eco acustico del kernel Microsoft: system32\drivers\aec.sys (manual start)
Ambiente supporto di rete AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN): System32\DRIVERS\alcan5wn.sys (manual start)
Alcatel Speed Touch ADSL Modem ATM Transport: System32\DRIVERS\alcaudsl.sys (manual start)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Avvisi: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Servizio Gateway di livello applicazione: %SystemRoot%\System32\alg.exe (manual start)
AnyDVD: System32\Drivers\AnyDVD.sys (manual start)
Gestione applicazione: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Protocollo client ARP 1394: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "C:\Programmi\Avast4\aswUpdSv.exe" (disabled)
Driver per supporti asincroni RAS: System32\DRIVERS\asyncmac.sys (manual start)
Controller disco rigido IDE/ESDI standard: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (disabled)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
Protocollo client ARP ATM: System32\DRIVERS\atmarpc.sys (manual start)
Audio Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Driver stub audio: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Programmi\Avast4\ashServ.exe" (disabled)
avast! Mail Scanner: "C:\Programmi\Avast4\ashMaiSv.exe" /service (disabled)
avast! Web Scanner: "C:\Programmi\Avast4\ashWebSv.exe" /service (disabled)
Servizio trasferimento intelligente in background: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BootScreen: \SystemRoot\System32\drivers\vidstub.sys (system)
Browser di computer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Driver del CD-ROM: System32\DRIVERS\cdrom.sys (system)
Servizio di indicizzazione: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Applicazione di sistema COM+: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Servizi di crittografia: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d347bus: System32\DRIVERS\d347bus.sys (system)
d347prt: System32\Drivers\d347prt.sys (system)
Client DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Driver del disco: System32\DRIVERS\disk.sys (system)
Servizio amministrativo di Gestione disco logico: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Driver Gestione dischi logici: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Gestione dischi logici: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sintetizzatore DLS Microsoft Kernel: system32\drivers\DMusic.sys (manual start)
Client DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Decodificatore audio DRM del kernel Microsoft: system32\drivers\drmkaud.sys (manual start)
3Com Fast EtherLink ISA Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
ElbyCDFL: System32\Drivers\ElbyCDFL.sys (manual start)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
ElbyDelay: System32\Drivers\ElbyDelay.sys (manual start)
Servizio di segnalazione errori: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Registro eventi: %SystemRoot%\system32\services.exe (autostart)
Sistema di eventi COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Compatibilità di Cambio rapido utente: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Driver controller disco floppy: System32\DRIVERS\fdc.sys (manual start)
Driver disco floppy: System32\DRIVERS\flpydisk.sys (manual start)
Driver archiviazione volumi: System32\DRIVERS\ftdisk.sys (system)
Enumeratore porta giochi: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Utilità di classificazione pacchetti generica: System32\DRIVERS\msgpc.sys (manual start)
Guida in linea e supporto tecnico: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HF30Kbd: \??\C:\Programmi\Hide Folder 3.0\HF30Kbd2K.sys (manual start)
HF30Service: C:\Programmi\Hide Folder 3.0\HF30Service.exe (autostart)
HF30Sys: \??\C:\Programmi\Hide Folder 3.0\HF30XP.sys (autostart)
Accesso periferica Human Interface: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Driver di classe HID Microsoft: System32\DRIVERS\hidusb.sys (manual start)
Driver di porta mouse PS/2 e tastiera i8042: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
Driver filtro masterizzazione CD: System32\DRIVERS\imapi.sys (system)
Servizio COM di masterizzazione CD IMAPI: C:\WINDOWS\System32\imapi.exe (manual start)
Driver filtro traffico IP: System32\DRIVERS\ipfltdrv.sys (manual start)
Driver tunnel IP in IP: System32\DRIVERS\ipinip.sys (manual start)
Traduttore indirizzi di rete IP: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Programmi\iPod\bin\iPodService.exe" (manual start)
Driver IPSEC: System32\DRIVERS\ipsec.sys (system)
Servizio enumeratore infrarossi: System32\DRIVERS\irenum.sys (manual start)
Driver bus PnP ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Driver classe tastiera: System32\DRIVERS\kbdclass.sys (system)
Mixer wave audio del kernel Microsoft: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Helper NetBIOS di TCP/IP: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Condivisione desktop remoto di NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Driver classe mouse: System32\DRIVERS\mouclass.sys (system)
Driver di mouse HID: System32\DRIVERS\mouhid.sys (manual start)
Redirector del client WebDav: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Proxy di servizio di flusso Microsoft: system32\drivers\MSKSSRV.sys (manual start)
Proxy clock di flusso Microsoft: system32\drivers\MSPCLOCK.sys (manual start)
Proxy di gestione qualità di flusso Microsoft: system32\drivers\MSPQM.sys (manual start)
Empty: \??\C:\Documents and Settings\LORENZO\Dati applicazioni\hidires\m_hook.sys (manual start)
Driver TAPI NDIS di accesso remoto: System32\DRIVERS\ndistapi.sys (manual start)
Protocollo I/O modalità utente su NDIS: System32\DRIVERS\ndisuio.sys (disabled)
Driver WAN NDIS di accesso remoto: System32\DRIVERS\ndiswan.sys (manual start)
Interfaccia NetBIOS: System32\DRIVERS\netbios.sys (system)
NetBios su Tcpip: System32\DRIVERS\netbt.sys (system)
DDE di rete: %SystemRoot%\system32\netdde.exe (manual start)
DDE DSDM di rete: %SystemRoot%\system32\netdde.exe (manual start)
Accesso rete: %SystemRoot%\System32\lsass.exe (manual start)
Connessioni di rete: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
NLA (Network Location Awareness): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Provider supporto protezione LM NT: %SystemRoot%\System32\lsass.exe (manual start)
Archivi rimovibili: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Driver filtro traffico IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Driver inoltratore traffico IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
Host controller VIA OHCI compatibile IEEE 1394: System32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Driver della porta parallela: System32\DRIVERS\parport.sys (manual start)
Driver bus PCI: System32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Microsoft IntelliPoint Filter Driver: System32\DRIVERS\point32.sys (manual start)
Servizi IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Driver processore: System32\DRIVERS\processr.sys (system)
Archiviazione protetta: %SystemRoot%\system32\lsass.exe (autostart)
Utilità di pianificazione pacchetti QoS: System32\DRIVERS\psched.sys (manual start)
Driver Direct Parallel Link: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Driver connessione automatica Accesso remoto: System32\DRIVERS\rasacd.sys (system)
Auto Connection Manager di Accesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Connection Manager di Accesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Driver PPPOE di accesso remoto: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Driver redirector periferica Terminal Server: System32\DRIVERS\rdpdr.sys (manual start)
Driver filtro riproduzione CD-ROM audio digitale: System32\DRIVERS\redbook.sys (system)
Routing e Accesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Registro di sistema remoto: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
RPC Locator: %SystemRoot%\System32\locator.exe (manual start)
RPC (Remote Procedure Call): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Gestione account di protezione (SAM): %SystemRoot%\system32\lsass.exe (autostart)
Helper smart card: %SystemRoot%\System32\SCardSvr.exe (manual start)
smart card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Utilità di pianificazione: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Accesso secondario: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notifica eventi di sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
MAT Serial port driver: System32\DRIVERS\ser2pl.sys (manual start)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Driver della porta seriale: System32\DRIVERS\serial.sys (system)
Firewall della connessione Internet (ICF) / Condivisione connessione Internet (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Rilevamento hardware shell: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SMART Board Service: "C:\Programmi\SMART Board Software\SMARTBoardService.exe" (autostart)
Driver filtro USB Sony (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Frazionatore audio del kernel Microsoft: system32\drivers\splitter.sys (manual start)
Spooler di stampa: %SystemRoot%\system32\spoolsv.exe (autostart)
Driver filtro Ripristino configurazione di sistema: System32\DRIVERS\sr.sys (system)
Servizio Ripristino configurazione di sistema: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Servizio di rilevamento SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Acquisizione di immagini di Windows (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
StyleXPHelper: \??\C:\Programmi\TGTSoft\StyleXP\StyleXPHelper.exe (system)
StyleXPService: "C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe" (autostart)
Driver bus software: System32\DRIVERS\swenum.sys (manual start)
Sintetizzatore Wavetable GS kernel Microsoft: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{106CAD38-0C23-45E4-B6B6-13A1983D14ED} (manual start)
Periferica audio di sistema Microsoft Kernel: system32\drivers\sysaudio.sys (manual start)
Avvisi e registri di prestazioni: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telefonia: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Driver protocollo TCP/IP: System32\DRIVERS\tcpip.sys (system)
Driver della periferica terminale: System32\DRIVERS\termdd.sys (system)
Servizi terminal: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Temi: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Manutenzione collegamenti distribuiti client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Driver aggiornamento microcodice: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Host di periferiche Plug and Play universali: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Gruppo di continuità: %SystemRoot%\System32\ups.exe (manual start)
Driver Miniport controller enhanced host USB 2.0 Microsoft: System32\DRIVERS\usbehci.sys (manual start)
Driver hub USB standard Microsoft: System32\DRIVERS\usbhub.sys (manual start)
Driver scanner USB: System32\DRIVERS\usbscan.sys (manual start)
Driver archiviazione di massa USB: System32\DRIVERS\USBSTOR.SYS (manual start)
Driver Miniport Controller Universal Host USB Microsoft: System32\DRIVERS\usbuhci.sys (manual start)
VClone: System32\DRIVERS\VClone.sys (system)
Controller video VGA.: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
viasraid: System32\DRIVERS\viasraid.sys (system)
Copia replicata del volume: %SystemRoot%\System32\vssvc.exe (manual start)
VIA USB Host Controller Lower Filter: \SystemRoot\System32\Drivers\vulfnth.sys (manual start)
VIA USB Roothub Lower Filter: \SystemRoot\System32\Drivers\vulfntr.sys (manual start)
Ora di Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Driver ARP IP di accesso remoto: System32\DRIVERS\wanarp.sys (manual start)
Driver di compatibilità audio Microsoft WINMM WDM: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Strumentazione gestione Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Estensioni driver di Strumentazione gestione Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Scheda WMI Performance: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Aggiornamenti automatici: %systemroot%\system32\svchost.exe -k netsvcs (disabled)
Zero Configuration reti senza fili: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

UpdateManager = C:\Program Files\Common Files\Microsoft Shared\MSEnv\envupd.exe

--------------------------------------------------

End of report, 34.609 bytes
Report generated in 0,219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

:)

Hi :)

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

actually can't have a complete scan:
when the scan starts my PC shutdown...

what can I do? :sad:

OK that's interesting.

Please try to do a scan in safe mode.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run the scan and save the log. Restart to the normal mode and post the log to here.

Let me know :bigthumb:

damn...
can't restart in safe mode: either with "classic" safe mode, with Networking or with Command Prompt, after hitting enter and some paths fastly scrolling down the screen (that's normal), system restarts....


http://img455.imageshack.us/img455/540/muro5mw.gif

Hmm ok...

Let's try this:

Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

firstly know that I installed some time ago Hide Folder (http://www.hide-folder.com/overview/hf_1.html), a program that do what he says (I'm sure that's a safe program)... anyway I unhided everything before the Scan, but maybe some file of the program is in the log... can't know http://img78.imageshack.us/img78/8345/thinkms2.gif


here BlackLight log:


01/30/07 21:29:47 [Info]: BlackLight Engine 1.0.55 initialized
01/30/07 21:29:47 [Info]: OS: 5.1 build 2600 (Service Pack 1)
01/30/07 21:29:47 [Note]: 7019 4
01/30/07 21:29:47 [Note]: 7005 0
01/30/07 21:29:50 [Note]: 7006 0
01/30/07 21:29:50 [Note]: 7011 1588
01/30/07 21:29:50 [Note]: 7026 0
01/30/07 21:29:51 [Note]: 7026 0
01/30/07 21:29:51 [Note]: 7024 3
01/30/07 21:29:51 [Info]: Hidden process: C:\WINDOWS\System32\hldrrr.exe
01/30/07 21:29:51 [Note]: 7024 3
01/30/07 21:29:51 [Info]: Hidden process: C:\WINDOWS\System32\wintems.exe
01/30/07 21:29:56 [Note]: FSRAW library version 1.7.1021
01/30/07 21:29:57 [Info]: Hidden file: c:\Documents and Settings\LORENZO\Dati applicazioni\hidires\hidr.exe
01/30/07 21:29:57 [Note]: 10002 2
01/30/07 21:29:57 [Info]: Hidden file: c:\Documents and Settings\LORENZO\Dati applicazioni\hidires\m_hook.sys
01/30/07 21:29:57 [Note]: 10002 2
01/30/07 21:29:57 [Note]: 10002 3
01/30/07 21:29:57 [Note]: 10002 3
01/30/07 21:29:57 [Note]: 10002 2
01/30/07 21:29:57 [Note]: 10002 2
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\imepaden.hlp
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\imepadsm.dll
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\imepadsv.exe
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\imlang.dll
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\res\PADRS404.DLL
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\res\padrs411.dll
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\res\padrs412.dll
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Info]: Hidden file: c:\WINDOWS\ime\shared\res\padrs804.dll
01/30/07 21:32:18 [Note]: 10002 3
01/30/07 21:32:18 [Note]: 10002 2
01/30/07 21:32:18 [Note]: 10002 2
01/30/07 21:32:34 [Info]: Hidden file: C:\WINDOWS\System32\wintems.exe
01/30/07 21:32:34 [Note]: 10002 2
01/30/07 21:32:34 [Info]: Hidden file: C:\WINDOWS\System32\hldrrr.exe
01/30/07 21:32:34 [Note]: 10002 2


...really many thanks for your interest jak3 :red:

Evening :)

Sorry for the log delay...

You got a rootkit there...

Run Blacklight again. When the scan is ready, select the following and hit Rename (you need to do this to all files one by one):
C:\WINDOWS\System32\hldrrr.exe
C:\WINDOWS\System32\wintems.exe
C:\Documents and Settings\LORENZO\Dati applicazioni\hidires\hidr.exe
c:\Documents and Settings\LORENZO\Dati applicazioni\hidires\m_hook.sys

Restart the computer and run Blacklight again. Post the log to here with a fresh HijackThis log :bigthumb:

here BlackLight log after renaming&restart: no hidden files found! :eek:

02/01/07 00:02:25 [Info]: BlackLight Engine 1.0.55 initialized
02/01/07 00:02:25 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/01/07 00:02:25 [Note]: 7019 4
02/01/07 00:02:25 [Note]: 7005 0
02/01/07 00:02:28 [Note]: 7006 0
02/01/07 00:02:28 [Note]: 7011 1620
02/01/07 00:02:28 [Note]: 7026 0
02/01/07 00:02:28 [Note]: 7026 0
02/01/07 00:02:36 [Note]: FSRAW library version 1.7.1021
02/01/07 00:07:06 [Note]: 7007 0



here Hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 0.10.41, on 01/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Hide Folder 3.0\HF30Service.exe
C:\Programmi\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Extensis\Suitcase 9.2\Suitcase.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Tools\hijackthis 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Programmi\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programmi\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\System32\hldrrr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\System32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\LORENZO\Dati applicazioni\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\System32\wintems.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Strumenti di SMART Board.lnk.disabled
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica selezionati da Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica sito web con Free Download Manager - file://C:\Programmi\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128453485248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128606071765
O17 - HKLM\System\CCS\Services\Tcpip\..\{A43E473A-3BFE-480A-BE7D-4014E4D45C72}: NameServer = 85.37.17.15 85.38.28.74
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ldr64 - ldr64.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: HF30Service - Unknown owner - C:\Programmi\Hide Folder 3.0\HF30Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Programmi\SMART Board Software\SMARTBoardService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe



good news I hope! :bigthumb:

Ok good work :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\System32\hldrrr.exe
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\System32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\LORENZO\Dati applicazioni\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\System32\wintems.exe
O20 - Winlogon Notify: ldr64 - ldr64.dll (file missing)

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\System32\hldrrr.exe.ren
C:\WINDOWS\System32\wintems.exe.ren

Go to the My Computer and delete the following folder (if present):
C:\Documents and Settings\LORENZO\Dati applicazioni\hidires

Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: ldr64.dll

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- new HijackThis startuplist, follow the earlier instructions

here I am again!
first o all, when trying to restart in safe mode after HjT fixes I had the same problem explained before:

can't restart in safe mode: either with "classic" safe mode, with Networking or with Command Prompt, after hitting enter and some paths fastly scrolling down the screen (that's normal), system restarts from the beginning....

anyway I remedied by booting with "Directory Service Restore Mode": this seem to be like normal safe mode, I think/hope no problem on this point. in this mode I deleted files and folders (ldr64.dll was not found), run ATFcleaner and did AVG scan, than rebooted in normal mode and did HjT scans. here the logs:

-AVG's report (http://1st.kiwidesign.googlepages.com/avgReport-Scan-20070202-181420.txt)
-fresh HijackThis log (http://1st.kiwidesign.googlepages.com/hjt-log-20070202-182500.txt)
-new HijackThis startuplist (http://1st.kiwidesign.googlepages.com/hjt-startuplist-20070202-182700.txt)

that's all I hope! :bigthumb:

Hi, looks better :)

The AVG Anti-Spyware log looks strange.
Please try to upload it again :bigthumb:

re-uploaded, check the link above ;)

BIG BIG BIG thanks for your help jak3...

a little question here:
actually my only protection is Avast4, any suggest for improved security without eating up all my RAM?

awww, this forum is great :red:

ouch, forgot to wrote: can I uninstall AVG?

Hi :)

Yes you may uninstall AVG if you want but it is a good scanner...

Open Notepad and copy the following lines into a new document:


@echo off
sc stop M_HOOK
sc delete M_HOOK

Save the document to your desktop as Remove.bat and filetype: All Files
Go to your desktop and run the file Remove.bat and allow to run it if prompted. A window will open and close, this is normal.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\exefld
C:\Documents and Settings\MILENA\Dati applicazioni\hidires
F:\#Lory\#Documenti\Giochini ed eseguibili\skerzi

Reboot in Normal Mode.

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis startuplist

;) here they are:

-kaspersky log (http://1st.kiwidesign.googlepages.com/kaspersky-log-20070204-072100.txt)
-hjt startuplist (http://1st.kiwidesign.googlepages.com/hjt-startuplist-20070204-102900.txt)


Yes you may uninstall AVG if you want but it is a good scanner...
yes I think I'll keep it... what about the resident shield?

Hi again, it is looking good now :)
How is the computer running ?

You should be careful on what you download :mad:

Delete the following infected files:
D:\MOBILE TOOLS\PC HOME\AGO\ANTISPAM Free\FreeSaverMP3.exe
F:\#Lory\#Documenti\Giochini ed eseguibili\Kissdolls\Games\hentaigame.exe
F:\#Lory\#Files importanti\BSINSTALL.exe
F:\#Lory\#Files importanti\BSINSTALLIT.exe
G:\#Miky\AGSetup0608.exe

And delete the following folders:
F:\#Lory\Themes\logon
F:\#Lory\Themes\stili visivi

The you have infections in the System Restore but that will be easily cleaned.

You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

first of all BIG thanks Jak3, you're an :angel:




You should be careful on what you download :mad:

Delete the following infected files:
D:\MOBILE TOOLS\PC HOME\AGO\ANTISPAM Free\FreeSaverMP3.exe
...
G:\#Miky\AGSetup0608.exe
you're right, but I'm not the only using this PC :fear:
anyway these all are programs setup, but no one of them is ever been installed..
BSINSTALL is the setup of BearShare, don't know why I kept the installer but I uninstalled that program looong time ago ;)



And delete the following folders:
F:\#Lory\Themes\logon
F:\#Lory\Themes\stili visivi
uhm... all these infected exe are visual styles and logons downloaded time ago from http://themexp.org :mad:, i'll delete them...



You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.
uh yeah, Avast4 home is installed! as you read in topic title it was partially deleted by a malware, now I reinstalled it :bigthumb:



You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
yeah, that's true... I'll install one (I haven't yet because of the worry of slowing down PC performances...). the ones you listed are equivalent? any preference?


about SpywareBlaster and SpywareGuard, they shouldn't have conflict with any av/firewall right?

about Ad-Aware, Spybot, Firefox, I use them regularly... the infection that drove me here has probably caused by a bad file downloaded from eMule... my fault! :(

about ATF Cleaner, I regularly use CCleaner, it seem to be a valid alternative... is it?


last but not least: safe mode boot still not work any idea about?

Hi :)

Downloading custom themes is an easy way the get infected...

Good, antivirus is a must-have.

Well I use ZoneAlarm at the moment, it is very easy to use and here is a good ZoneAlarm guide (http://www.markusjansson.net/eza.html).

SpywareBlaster wont conflict you AV or eat your memory.

Yes you get best results by using multiple scanners.

Yes CCleaner and ATF Cleaner do the same thing.

Ok the safe mode. Please see these instructios and let me know if you're able to access to the safe mode -> Link (http://www.pchell.com/support/safemode.shtml) :bigthumb:

damn, I've been little bit busy these days... I'll check the link soon, thanks :bigthumb:

Ok good :bigthumb: