View Full Version : Problem with a worm
Hi
I have some problems with my notebook. it's very very slow since I downloaded and run a crack for a software.
Often when I close a window, everything disapper and reapper after about one minute
My antivirus is not loaded at system startupe, I have to reinstall it every time I boot my machine.
I noticed that I have a strange process in task manager that belongs to a file in c:\windows\temp. If I kill the process the file disappears, but the problems remains. If i delete the file the next time I boot it appears again with a different name.
I don't know if I have some worms. can you help me please?
thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.26.07, on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\FireTrust\MailWasher Pro\MailWasher.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\TeaTimer.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\lucamarantelli\Desktop\Windows Live Installer.exe
C:\Programmi\Windows Live\installer\Dashboard.exe
C:\Programmi\Windows Live\installer\WLSetupSvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [bc360619] rundll32.exe "C:\WINDOWS\system32\jcgxtsyg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: Domain = mi.draeger.mt.it; corp.draeger.global
O17 - HKLM\System\CCS\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: NameServer = 10.109.0.149,160.70.15.89
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS1\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: Domain = mi.draeger.mt.it; corp.draeger.global
O17 - HKLM\System\CS1\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: NameServer = 10.109.0.149,160.70.15.89
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe
--
End of file - 9716 bytes
Hello gnorro
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
It looks like you posted here
http://forums.whatthetech.com/notebook_very_slow_maybe_a_worm_t85855.html
Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources, so please don't.
We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.
If you want to remove the cracked software, then run Kaspersky free online scanner and post the log along with a new HJT log please
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
sorry ken ant thanks for your reply
this is kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 14, 2007 2:12:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/12/2007
Kaspersky Anti-Virus database records: 451597
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 79064
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 03:22:29
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\lucamarantelli\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\tmpLog.txt Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\Training\Training archive - junk.rot135 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\Training\Training archive - legitimate.rot135 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\Trash.rot135 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\cert8.db Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\flashgot.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\formhistory.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\history.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\key3.db Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\parent.lock Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\search.sqlite Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Cronologia\History.IE5\MSHist012007121420071215\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\dfsr.db Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\fsr.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\fsrtmp.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\tmp.edb Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\outlook.ost Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\rhcpitalia@msn.com\real\members.stg Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\rhcpitalia@msn.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\ExchangePerflog_8484fa3197ed59cfcfcccd43.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\~DF65FB.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\~DF662A.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\~DFAF7A.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temporary Internet Files\Content.IE5\ELKZA965\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lucamarantelli\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.logaccount_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.loginitial_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.logLuuidDB Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.logptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.logaccount_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.loginitial_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.logLuuidDB Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.logptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\sr_gui_tde.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\sr_service_tde.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\sr_watchdog_tde.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\tmp\CKP_shmem_vpnstat_vpnd_shmem Object is locked skipped
C:\Programmi\Stonesoft\StoneGate VPN Client\process.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{95624057-4A02-49E5-B0B3-F358310412F5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ckpNotify.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\W3SVC1\ex071214.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_9bc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
and this is hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.15.02, on 14/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\TeaTimer.exe
C:\Programmi\FireTrust\MailWasher Pro\MailWasher.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmi\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [bc360619] rundll32.exe "C:\WINDOWS\system32\jcgxtsyg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe
--
End of file - 9382 bytes
thanks
gnorro,
You may have a deeper issue then what we are going to fix, lets see what we can accomplish and go from there.
You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\jcgxtsyg.dll",b
Please download [b]SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
The thieves that have written Vundo have written it to go undected by Hijackthis so we need to rename it to something else so those entries will show up on your log.
This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe
Let me see the SAS log, the Combofix log and a new HJT log renamed please
SAS log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/14/2007 at 06:58 PM
Application Version : 3.9.1008
Core Rules Database Version : 3361
Trace Rules Database Version: 1360
Scan type : Complete Scan
Total Scan Time : 02:07:31
Memory items scanned : 460
Memory threats detected : 3
Registry items scanned : 7338
Registry threats detected : 18
File items scanned : 36060
File threats detected : 16
Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\EFCBAXX.DLL
C:\WINDOWS\SYSTEM32\EFCBAXX.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\efcbaxx
Trojan.WinFixer
C:\WINDOWS\SYSTEM32\AWTSP.DLL
C:\WINDOWS\SYSTEM32\AWTSP.DLL
HKLM\Software\Classes\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}
HKCR\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}
HKCR\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}\InprocServer32
HKCR\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B9589C7-8410-4C5C-9194-A4559030DAE1}
Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\ANHNDPIK.DLL
C:\WINDOWS\SYSTEM32\ANHNDPIK.DLL
Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{7c3f76ed-88a0-4c99-9663-a4140c39f7fd}
HKCR\CLSID\{7C3F76ED-88A0-4C99-9663-A4140C39F7FD}
HKCR\CLSID\{7C3F76ED-88A0-4C99-9663-A4140C39F7FD}\InprocServer32
HKCR\CLSID\{7C3F76ED-88A0-4C99-9663-A4140C39F7FD}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c3f76ed-88a0-4c99-9663-a4140c39f7fd}
C:\WINDOWS\SYSTEM32\JCGXTSYG.DLL
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}\InprocServer32
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
Adware.Tracking Cookie
C:\Documents and Settings\administrator\Cookies\administrator@ad.watersoul[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@realmedia[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@statse.webtrendslive[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@yadro[1].txt
C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Cookies\administrator@msnportal.112.2o7[1].txt
Combofix doesn't create a log, because it seems to be blcocked when it tryes to remove files and dirs at the end. after about 1 hour I stopped it
this is HiJack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\IBEA69.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4470843F-FC5D-4AB4-AB07-1C5739A68D78} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57F521B7-248A-4981-973C-8C7819EB0CCD} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe
--
End of file - 9963 bytes
First do this.
Download haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe)
and save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)
HAXFIX logfile - by Marckie
version 4.61
2007-12-15 22:27:36.48
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
matching services found
CmBatt
tmcomm
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
checking iexplore.exe
iexplore.exe is not infected
--- Catchme logfile - thank you Gmer ---
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 22:27:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x20229~\2]
"0140110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL"
scanning hidden files ...
C:\serv.txt 16 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
--- Analysing Catchme logfile ---
no matching regkeys found
Finished!
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINDOWS\system32\awtsp.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Remove this with HJT.
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
Delete Combofix and download and install a fresh copy.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
If it still hangs then try running it in Safemode.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Post the Avenger log, the combofix log and a new HJT log
Avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xpkcqsxg
*******************
Script file located at: \??\C:\ekbhifuv.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\awtsp.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Combofix now delete files and dire and then reboot my pc but no log is shown. is it created in some dir?
this is HJ log. every time I reboot the dll in system32 appears again. I have always a file that changes its name in task manager. it's located in windows\temp
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29, on 2007-12-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\HP9E5.EXE
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\ctfmon.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {52136192-47CF-433C-B270-2ADF2E0730D1} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe
--
End of file - 9737 bytes
Open up Task Manager by pressing Ctrl. Alt. Del and under the Process Tab look for
C:\WINDOWS\system32\awtsp.exe , select it and click on End Process
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\awtsp.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Run Combofix again please , I need to see the report along with the OtMoveIt log and a New HJT log
that file appears (awtsp.exe and also the othe file inside temp dir) again every time I boot. i also unchecked it in msconfig. Combofix generate no log. it always reboot my pc but then nothing happens
C:\WINDOWS\system32\awtsp.exe moved successfully.
Created on 12-16-2007 13:16:40
Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:17, on 2007-12-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\ICFC8F.EXE
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {76B3746B-E39E-4153-AAB9-786D701BC88A} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe
--
End of file - 10042 bytes
Sorry for the late reply but I was called away and was not online most of the day.
Download Pocket Killbox (http://www.majorgeeks.com/Pocket_KillBox_d4709.html) to your desktop.
Highlight the file with the complete path inside the Quote Box and press Ctrl C on your keyboard.
C:\WINDOWS\system32\awtsp.exe
Open Pocket Killbox
Go to File > Paste from clipboard
Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
Make sure Single File is selected
Click on the Red circle with the white X
It will ask you to confirm the deletion...Say yes
It will ask you to reboot, say yes
If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.
Post a new HJT log and lets see if this got it
no problem ken...you are giving me a great help
this is hj log. the file was not deleted :(
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\EL396A.EXE
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe
C:\Programmi\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: (no name) - {061DA521-C797-4E3A-9EF4-66214C50DF35} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe
--
End of file - 9988 bytes
Good Morning,
Its still there :red:
that file appears (awtsp.exe and also the othe file inside temp dir)Are you saying there is another awtsp.exe in a temp folder??
in that dir there is a file that renames every time I start the pc. not its name is: rkc0c9.exe
if I kill the process the fiule disappears, but it compair again at the next reboot. I used also VundoFix of symantec but it finds nothing. I used also Prevx CSI that find I am infected but then it asks me a license to clean my system
This file appears to be related to Vundo somehow.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
C:\ComboFix.txt <--You can find it on your C:\drive
Post both the Vundofix and Combofix logs please
It says they are been removed but it's not true...
VundoFix V6.7.0
Checking Java version...
Sun Java not detected
Scan started at 14.42.08 13/12/2007
Listing files found while scanning....
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Hijack log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\RN5875.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C889469C-66DC-4851-9BB7-38FBCD0E080F} - C:\WINDOWS\system32\awtsp.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe
--
End of file - 10068 bytes
Go to Start>Run and type in SYSEDIT when it opens, click on the win.ini tab and COPY AND paste it here for me to see. DO NOT CHANGE ANYTHING
I still need to see the combofix log <-- I NEED THIS
Finally I deleted awtsp.exe and .dll. I went to regedit and delete every occurrence of awtsp. now combofix generate its log.
this is win.ini:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
m2v=MPEGVideo
mod=MPEGVideo
this is combofix log:
ComboFix 07-12-15.5 - Administrator 2007-12-17 17.56.22.6 - NTFSx86 MINIMAL
Eseguito da: C:\Documents and Settings\lucamarantelli\Desktop\ComboFix(2).exe
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini2
.
((((((((((((((((((((((((( Files Creati Da 2007-11-17 al 2007-12-17 )))))))))))))))))))))))))))))))))))
.
2007-12-17 17:37 . 2007-12-17 17:37 <DIR> d-------- C:\Programmi\WhoLockMe104
2007-12-17 17:14 . 2007-12-17 17:43 8,758 --ahs---- C:\WINDOWS\system32\pstwa.ini
2007-12-17 17:14 . 2007-12-17 17:41 8,547 --ahs---- C:\WINDOWS\system32\pstwa.ini2
2007-12-17 10:02 . 2007-12-17 10:04 <DIR> d-------- C:\Documents and Settings\lucamarantelli\Dati applicazioni\PrevxCSI
2007-12-17 10:02 . 2007-12-17 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Prevx
2007-12-16 11:56 . 2007-12-16 11:56 <DIR> d-------- C:\Programmi\FirefoxPreloader
2007-12-16 11:56 . 2005-01-19 03:15 28,672 --a------ C:\WINDOWS\system32\regclass.dll
2007-12-15 22:27 . 2001-05-25 06:01 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-12-15 22:27 . 2005-01-13 20:41 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-12-15 22:27 . 2004-07-22 12:15 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-12-14 16:49 . 2007-12-17 17:14 <DIR> d-------- C:\Programmi\SUPERAntiSpyware
2007-12-14 16:49 . 2007-12-14 16:49 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2007-12-14 16:49 . 2007-12-14 16:49 <DIR> d-------- C:\Documents and Settings\lucamarantelli\Dati applicazioni\SUPERAntiSpyware.com
2007-12-14 16:49 . 2007-12-14 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2007-12-14 09:25 . 2007-12-14 09:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-14 09:25 . 2007-12-14 09:25 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2007-12-13 14:42 . 2007-12-17 17:11 <DIR> d-------- C:\VundoFix Backups
2007-12-13 11:19 . 2007-12-14 09:32 929,576 --ahs---- C:\WINDOWS\system32\gystxgcj.ini
2007-12-13 09:41 . 2007-12-13 10:16 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2007-12-13 09:40 . 2007-12-13 11:48 <DIR> d-------- C:\Programmi\Windows Live
2007-12-13 09:40 . 2007-12-13 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2007-12-13 00:36 . 2007-12-13 00:36 <DIR> d-------- C:\Programmi\CCleaner
2007-12-13 00:12 . 2007-12-17 17:39 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-12-12 21:10 . 2007-12-12 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2007-12-12 11:15 . 2007-08-01 15:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-12 11:13 . 2007-12-13 11:24 <DIR> d-------- C:\Programmi\Trend Micro
2007-12-12 11:12 . 2007-12-12 11:12 <DIR> d-------- C:\Documents and Settings\lucamarantelli\Dati applicazioni\InstallShield
2007-12-11 10:36 . 2007-12-11 10:36 <DIR> d-------- C:\Documents and Settings\lucamarantelli\Dati applicazioni\eRoom
2007-12-11 10:34 . 2007-12-11 10:34 <DIR> d-------- C:\Programmi\eRoom 7
2007-12-11 10:32 . 1998-07-30 18:43 306,176 --a------ C:\WINDOWS\IsUn0410.exe
2007-12-11 10:30 . 2007-12-11 10:30 <DIR> d-------- C:\Documents and Settings\lucamarantelli\WINDOWS
2007-12-10 11:38 . 2007-12-10 11:38 <DIR> d-------- C:\ofbiz
2007-11-30 11:56 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-11-30 11:43 . 2007-11-30 11:43 <DIR> dr-h----- C:\MSOCache
2007-11-29 20:12 . 2007-11-29 20:12 <DIR> d-------- C:\Programmi\wjjsoft
2007-11-29 20:10 . 2007-11-29 20:12 <DIR> d-------- C:\Programmi\NeoMem
2007-11-29 20:00 . 2007-11-29 20:01 <DIR> d-------- C:\Programmi\KeyNote
2007-11-29 19:59 . 2007-11-29 19:59 <DIR> d-------- C:\Documents and Settings\lucamarantelli\.NoteLab
2007-11-28 10:23 . 2007-03-10 15:36 <DIR> d--h----- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Risorse di stampa
2007-11-28 10:23 . 2007-03-10 15:36 <DIR> d--h----- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Risorse di rete
2007-11-28 10:23 . 2007-11-28 10:23 <DIR> dr------- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Preferiti
2007-11-28 10:23 . 2007-03-10 14:47 <DIR> d--h----- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Modelli
2007-11-28 10:23 . 2007-03-10 15:36 <DIR> dr------- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Menu Avvio
2007-11-28 10:23 . 2007-12-16 10:48 <DIR> d--h----- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Impostazioni locali
2007-11-28 10:23 . 2007-11-28 10:23 <DIR> dr------- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Documenti
2007-11-28 10:23 . 2007-10-31 23:10 <DIR> d-------- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Dati applicazioni\Intel
2007-11-28 10:23 . 2007-11-28 10:23 <DIR> dr-h----- C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Dati applicazioni
2007-11-28 09:10 . 2004-08-19 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-23 14:37 . 2004-07-19 10:52 568 --a------ C:\WINDOWS\system32\drivers\default.bin
2007-11-23 14:37 . 2004-07-19 10:52 568 --a------ C:\WINDOWS\system32\default.bin
2007-11-23 14:36 . 2007-11-23 14:36 <DIR> d-------- C:\Programmi\CheckPoint
2007-11-23 14:36 . 2004-07-19 10:52 2,871,296 --a------ C:\WINDOWS\system32\kmpapi32.dll
2007-11-23 14:36 . 2004-07-19 10:52 2,038,704 --a------ C:\WINDOWS\system32\drivers\fw.sys
2007-11-23 14:36 . 2004-07-19 10:52 668,432 --a------ C:\WINDOWS\system32\drivers\vpn.sys
2007-11-23 14:36 . 2004-07-19 10:52 393,216 --a------ C:\WINDOWS\system32\enterr.dll
2007-11-23 14:36 . 2004-07-19 11:53 106,583 --a------ C:\WINDOWS\system32\fwnetcfg.dll
2007-11-23 14:36 . 2004-07-19 11:53 32,875 --a------ C:\WINDOWS\system32\ckpginashim.dll
2007-11-23 14:36 . 2004-07-19 11:53 24,681 --a------ C:\WINDOWS\system32\ckpNotify.dll
2007-11-23 14:36 . 2004-07-19 10:52 17,424 --a------ C:\WINDOWS\system32\drivers\scap.sys
2007-11-23 14:36 . 2004-07-19 10:52 14,924 --a------ C:\WINDOWS\system32\drivers\OMVA.sys
2007-11-23 14:36 . 2004-07-19 10:52 4,133 --a------ C:\WINDOWS\entrust.ini
2007-11-22 15:48 . 2007-11-30 09:05 <DIR> d-------- C:\Programmi\QuickTime
2007-11-22 15:48 . 2007-11-22 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2007-11-22 15:48 . 2007-11-22 15:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-22 15:48 . 2007-11-22 15:48 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-22 15:47 . 2007-11-22 15:47 <DIR> d-------- C:\Programmi\Apple Software Update
2007-11-22 15:47 . 2007-11-22 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 16:14 428,544 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-17 15:06 453,120 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-17 15:06 412,160 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-16 11:32 16,547,840 ----a-w C:\WINDOWS\RTHDCPL.EXE
2007-12-16 11:32 1,784,320 ----a-w C:\WINDOWS\SkyTel.EXE
2007-12-14 15:45 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro
2007-12-12 15:11 --------- d-----w C:\Programmi\Google
2007-12-10 08:34 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2007-11-29 19:14 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-11-28 14:50 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\SQLyog
2007-11-16 16:30 --------- d-----w C:\Programmi\NetBeans 6.0 RC1
2007-11-16 16:30 --------- d-----w C:\Programmi\Apache Software Foundation
2007-11-13 18:09 --------- d-----w C:\Programmi\SQLyog Community
2007-11-08 08:38 --------- d-----w C:\Programmi\TOSHIBA
2007-11-06 17:00 --------- d-----w C:\Programmi\WinMerge
2007-11-06 16:38 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\postgresql
2007-11-06 16:36 --------- d-----w C:\Programmi\pgAdmin III
2007-11-06 07:56 --------- d-----w C:\Programmi\MSXML 4.0
2007-11-05 17:06 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InstallShield
2007-11-05 17:04 --------- d-----w C:\Programmi\File comuni\InstallShield
2007-11-05 17:04 --------- d-----w C:\Programmi\File comuni\Business Objects
2007-11-05 17:04 --------- d-----w C:\Programmi\Business Objects
2007-11-05 13:20 --------- d-----w C:\Programmi\Microsoft SQL Server
2007-11-05 08:15 --------- d-----w C:\Programmi\Innovative Solutions
2007-10-31 22:10 356,352 ----a-w C:\WINDOWS\system32\AegisI5Installer.exe
2007-10-31 22:10 21,393 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-10-31 22:10 21,393 ----a-w C:\WINDOWS\AegisP.sys
2007-10-31 22:10 --------- d-----w C:\Documents and Settings\NetworkService\Dati applicazioni\Intel
2007-10-31 22:10 --------- d-----w C:\Documents and Settings\MARANTELLI-XPNE\ASPNET\Dati applicazioni\Intel
2007-10-31 22:10 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\Intel
2007-10-31 22:10 --------- d-----w C:\Documents and Settings\LocalService\Dati applicazioni\Intel
2007-10-31 22:10 --------- d-----w C:\Documents and Settings\Default User\Dati applicazioni\Intel
2007-10-31 22:10 --------- d-----w C:\Documents and Settings\administrator\Dati applicazioni\Intel
2007-10-31 22:09 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Dati applicazioni\Intel
2007-10-31 22:09 --------- d-----w C:\Programmi\Intel
2007-10-31 22:09 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Intel
2007-10-31 21:18 --------- d-----w C:\Programmi\CDBurnerXP
2007-10-31 20:51 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Macrovision
2007-10-31 20:50 --------- d-----w C:\Programmi\Macromedia
2007-10-31 20:50 --------- d-----w C:\Programmi\File comuni\Macromedia Shared
2007-10-31 20:50 --------- d-----w C:\Programmi\File comuni\Macromedia
2007-10-31 20:48 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\Uniblue
2007-10-31 20:12 --------- d-----w C:\Programmi\FireTrust
2007-10-31 08:48 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\SmartFTP
2007-10-31 08:44 --------- d-----w C:\Programmi\SmartFTP Client
2007-10-30 18:24 --------- d-----w C:\Programmi\Java
2007-10-30 18:18 --------- d-----w C:\Programmi\ltmoh
2007-10-30 18:11 --------- d-----w C:\Programmi\Realtek
2007-10-30 17:22 --------- d-----w C:\Programmi\File comuni\Java
2007-10-30 15:01 --------- d-----w C:\Programmi\File comuni\Merge Modules
2007-10-30 14:48 --------- d-----w C:\Programmi\Microsoft Visual Studio .NET 2003
2007-10-30 14:34 --------- d-----w C:\Programmi\Notepad++
2007-10-30 14:34 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\Notepad++
2007-10-30 14:30 --------- d-----w C:\Programmi\HTML Help Workshop
2007-10-30 14:26 --------- d-----w C:\Programmi\File comuni\Crystal Decisions
2007-10-30 14:20 --------- d-----w C:\Programmi\Microsoft ACT
2007-10-30 13:26 --------- d-----w C:\Programmi\MSXML 6.0
2007-10-30 12:14 --------- d-----w C:\Programmi\MSBuild
2007-10-30 12:10 --------- d-----w C:\Programmi\Reference Assemblies
2007-10-30 12:05 --------- d-----w C:\Programmi\Windows Media Connect 2
2007-10-30 11:00 --------- d-----w C:\Documents and Settings\lucamarantelli\Dati applicazioni\OfficeUpdate12
2007-10-18 10:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-09-17 15:40 524,288 ----a-w C:\WINDOWS\opuc.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7E0D41E-3598-4D1D-A568-B79090A234B4}]
C:\WINDOWS\system32\awtsp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SmartFTP Drop]
@={EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}
[HKEY_CLASSES_ROOT\CLSID\{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}]
2007-10-01 22:33 406840 --a------ C:\Programmi\SmartFTP Client\sfShellTools.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StoneGateAgent"="C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe" [2007-12-17 17:14]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-16 12:32 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2007-12-16 12:32 C:\WINDOWS\SkyTel.EXE]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-17 17:14]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-17 16:06]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-17 16:06]
"OfficeScanNT Monitor"="C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-16 12:35]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 13:00]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-19 13:00 C:\WINDOWS\system32\cmd.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmi\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmi\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-07-19 11:53 24681 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^lucamarantelli^Menu Avvio^Programmi^Esecuzione automatica^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\lucamarantelli\Menu Avvio\Programmi\Esecuzione automatica\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
000StTHK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2006-04-26 14:39 258048 --a------ C:\WINDOWS\system32\00THotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrossMenu]
2006-04-12 16:25 798720 --a------ C:\Programmi\Toshiba\CrossMenu\CrossMenu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-06-01 10:51 823296 --a------ C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-11-30 09:05 470016 --a------ C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
2005-09-01 15:21 102400 --a------ C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Programmi\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]
C:\WINDOWS\system32\ZCfgSvc.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 17:59:38
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2007-12-17 18.00.26
.
2007-12-10 08:34:41 --- E O F ---
now awtsp.exe and awtsp.dll reappear again!
:(
whem I start the pc now I get an error that says that the system can't find awtsp.exe
Thats good,
Try removing this again with HJT
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
post a new HJT log
i remove F3 but if I scan again with HJ it appears againn every time
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini2
C:\WINDOWS\system32\gystxgcj.ini
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7E0D41E-3598-4D1D-A568-B79090A234B4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
there is a problem
I can't copy and paste anything and I can't drag and drop anything. i don't know why. if I open a window or a program I don't see it in the bottom bar
The copy item in the window menu when I click with right mouse is alway disabled and copy and paste doesn't work!
You were able to copy and paste before , there is nothing we have done to disable that. You did not change anything in win.ini did you??
Reboot your computer and try my fix for combofix again, if you still cant copy and paste, try changing your mouse.
Hello,
You have a variation of Vundo that reinfects you everytime you boot up, what you need to do is stay off the internet as much as possible until we get rid of this.
Run this tool , it should fix your copy and paste problem
http://download.bleepingcomputer.com/sUBs/Beta/NetSvc_Repair.exe
Then drag Combofix to the trash and download this newer version , run it and post the log please.
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
hi ken
I formatted my pc, I had too much problem and few time...sorry
however thank you very much for your help and your time!
Good Morning,
Sorry you had to go through that. Let me tell ya, the infections going around today are getting real bad and more difficult to remove. You need to be real careful on what you download. Cracked software is bad news, I would stay away from them.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help.
Safe Surfn
Ken
and what about superantispyware? i installed it. Do you think it's better to install a different one?
superantispyware, <-- Thats fine, it's a good program, you can install about anything but remember this.
Only have ONE Anti Virus program and only ONE Firewall, more than that is overkill and can cause you problems
Merry Christmas,
Ken:santa:
thanks ken and merry Christmas to you and your wife
bye
Merry Christmas to you and your family.
Stay well,
Ken:santa: