View Full Version : ads popping
massimo.sp.it
2008-02-28, 23:29
hi.
it's some days that i can't surf without having popups every few minutes.
i have av+asw always running and automatically updated, but they could find any threat.
yesterday i installed sb-s&d, i ran it 3 times but it also couldn't find anything but some cookies.
anybody pays me for reading these ads and they keep popping ;)
does anybody have some tip?
as requested this is ...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.23.57, on 28.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Programmi\Microsoft LifeCam\MSCamS32.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\MXTask.exe
C:\PROGRA~1\VCOM\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS\vVX1000.exe
C:\Programmi\Messenger\msmsgs.exe
C:\varie\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\VIA\RAID\raid_tool.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Varie\DAP\DAP.EXE
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\varie\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\VCOM\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Varie\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Call HoverToCall class - {7E853D72-626A-48EC-A868-BA8D5E23E045} - C:\Programmi\Windows Live\Messenger\HTC.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Programmi\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\MemCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\varie\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Clean Traces - C:\Varie\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Varie\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Varie\DAP\dapextie2.htm
O8 - Extra context menu item: Linked Ima&ges - C:\varie\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Linked Images - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\varie\IEimage\IEimage.htm
O9 - Extra 'Tools' menuitem: Linked Ima&ges - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\varie\IEimage\IEimage.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Varie\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Varie\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164225271765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\VCOM\MXTask.exe
--
End of file - 7019 bytes
Hello massimo.sp.it
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} - (no file)
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
I need to see the Malwarebytes log and a New HJT log please.
massimo.sp.it
2008-03-01, 22:49
i did all the things exactly as stated.
mbam found lots of troubles with some web media player and, as you can see, shoot plenty of infected files. i completed with uninstall of the whole lot... but looks the hole thing was not enough.
ie7 pages keeps popping up, rarely but they keep coming.
as requested (hope you can work it out in italian) this is mbam report:
Malwarebytes' Anti-Malware 1.05
Versione del database: 436
Tipo di scansione: Scansione rapida
Elementi scansionati: 27794
Tempo trascorso: 5 minute(s), 10 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 22
File infetti: 59
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{e550dc77-ef3b-474f-b59c-b3e2aa1fa6a5} (Adware.Starware) -> Quarantined and deleted successfully.
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
C:\Documents and Settings\All Users\Dati applicazioni\Starware368 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_6 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_7 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_8 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Download (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Lyrics (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Music_Search (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Radio_UK (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
File infetti:
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\503_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\503_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\512_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\512_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\513_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\513_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\Button_60.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\Button_70.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\Button_80.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\contexts\Related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\contexts\Travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\Starware368\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_6\Button_6Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_6\Button_6Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_7\Button_7Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_7\Button_7Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_8\Button_8Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Button_8\Button_8Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Download\DownloadOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Download\DownloadOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Lyrics\LyricsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Lyrics\LyricsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Music_Search\Music_SearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Music_Search\Music_SearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Radio_UK\Radio_UKOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Radio_UK\Radio_UKOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Starware368\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\WebMediaPlayer.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
massimo.sp.it
2008-03-01, 22:51
and this is hijackthis report (looks like it was not able to kill three entries we asked for or something installed them back), and this time, since all troubles come when ie7 is opened, i ru it with ie7 opened(hope it helps):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.29.57, on 01.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS\vVX1000.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\varie\viamichelin\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\VIA\RAID\raid_tool.exe
C:\Programmi\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programmi\Microsoft LifeCam\MSCamS32.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\MXTask.exe
C:\PROGRA~1\VCOM\mxtask.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\varie\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\VCOM\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Varie\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Call HoverToCall class - {7E853D72-626A-48EC-A868-BA8D5E23E045} - C:\Programmi\Windows Live\Messenger\HTC.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Programmi\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\MemCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\varie\viamichelin\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Clean Traces - C:\Varie\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Varie\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Varie\DAP\dapextie2.htm
O8 - Extra context menu item: Linked Ima&ges - C:\varie\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Linked Images - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\varie\IEimage\IEimage.htm
O9 - Extra 'Tools' menuitem: Linked Ima&ges - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\varie\IEimage\IEimage.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Varie\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Varie\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164225271765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\VCOM\MXTask.exe
--
End of file - 7033 bytes
massimo.sp.it
2008-03-01, 23:13
does anybody have downloaded latest java plug-in 1.6.0_03 loading the npipi160_03.dll ?
may be concidence, but troubles began when some app requested me to install it...
Hello,
Not sure about Java, we will look into that in a bit. It is out of date and needs to be updated but don't do it yet.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
massimo.sp.it
2008-03-03, 14:16
this time looks like it finally worked!
what really tricked me it's that windows' task manager didn't report any 'whatisthis.exe' as active process. can this be?
here's the report of what combofix found&shot:
ComboFix 08-03-03.4 - Proprietario 2008-03-02 20.38.13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.571 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Proprietario\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\lpfjhlbg.dat
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\lpfjhlbg.exe
c:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\lpfjhlbg_nav.dat
c:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\lpfjhlbg_navps.dat
.
((((((((((((((((((((((((( Files Creati Da 2008-02-03 al 2008-03-03 )))))))))))))))))))))))))))))))))))
.
2008-03-01 17:11 . 2008-03-01 17:11 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\Malwarebytes
2008-03-01 17:11 . 2008-03-01 17:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Malwarebytes
2008-02-28 22:42 . 2008-02-28 22:42 <DIR> d-------- C:\Programmi\Trend Micro
2008-02-28 14:38 . 2008-02-28 14:37 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-28 14:38 . 2008-02-28 14:38 2,552 --a------ C:\WINDOWS\unins000.dat
2008-02-28 14:34 . 2008-02-28 14:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Spybot - Search & Destroy
2008-02-28 14:20 . 2008-02-28 14:21 <DIR> d-------- C:\Programmi\Microsoft Silverlight
2008-02-21 14:16 . 2008-02-21 14:16 <DIR> d-------- C:\Programmi\Hi-Speed USB Bridge-Network Cable
2008-02-21 14:16 . 2003-04-02 09:56 11,520 --a------ C:\WINDOWS\system32\drivers\PL2501NW.sys
2008-02-21 14:16 . 2003-03-04 10:46 7,936 --a------ C:\WINDOWS\system32\drivers\usbbc2.sys
2008-02-20 14:33 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-19 21:25 . 2008-02-19 21:25 <DIR> d-------- C:\WINDOWS\Sun
2008-02-19 21:23 . 2008-02-20 14:33 <DIR> d-------- C:\Programmi\Java
2008-02-19 21:23 . 2008-02-19 21:23 <DIR> d-------- C:\Programmi\File comuni\Java
2008-02-10 21:22 . 2008-02-14 00:05 <DIR> d-------- C:\TEMP_x
2008-02-09 14:16 . 2008-02-09 14:16 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\Yahoo!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 19:36 --------- d-----w C:\Programmi\VCOM
2008-03-02 19:35 --------- d---a-w C:\DOCUME~1\ALLUSE~1\DATIAP~1\TEMP
2008-03-02 19:35 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\Skype
2008-02-21 22:19 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\U3
2008-02-21 13:16 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-19 10:50 --------- d-----w C:\Documents and Settings\Dominik\Dati applicazioni\Avanquest
2008-01-19 10:27 --------- d-----w C:\Documents and Settings\Guest\Dati applicazioni\Avanquest
2008-01-04 19:40 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATIAP~1\Zabersoft
2007-12-16 19:55 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2007-12-07 02:04 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:40 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-08-22 19:11 92,064 ----a-w C:\Documents and Settings\Proprietario\mqdmmdm.sys
2007-08-22 19:11 9,232 ----a-w C:\Documents and Settings\Proprietario\mqdmmdfl.sys
2007-08-22 19:11 79,328 ----a-w C:\Documents and Settings\Proprietario\mqdmserd.sys
2007-08-22 19:11 66,656 ----a-w C:\Documents and Settings\Proprietario\mqdmbus.sys
2007-08-22 19:11 6,208 ----a-w C:\Documents and Settings\Proprietario\mqdmcmnt.sys
2007-08-22 19:11 5,936 ----a-w C:\Documents and Settings\Proprietario\mqdmwhnt.sys
2007-08-22 19:11 4,048 ----a-w C:\Documents and Settings\Proprietario\mqdmcr.sys
2007-08-22 19:11 25,600 ----a-w C:\Documents and Settings\Proprietario\usbsermptxp.sys
2007-08-22 19:11 22,768 ----a-w C:\Documents and Settings\Proprietario\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
thanks again to u ken for help...
Glad things are better , it looks like you did not post the entire Combofix log, you can find it here C:\ComboFix.txt
Post the Combofix log and a New Hijackthis log please and lets make sure there is nothing else to remove.
massimo.sp.it
2008-03-05, 20:56
anyways i had no more pops, thank you...
ComboFix 08-03-03.4 - Proprietario 2008-03-06 20:44:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.590 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Proprietario\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Creati Da 2008-02-06 al 2008-03-06 )))))))))))))))))))))))))))))))))))
.
2008-03-03 22:07 . 2008-03-03 22:07 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\vlc
2008-03-01 17:11 . 2008-03-01 17:11 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\Malwarebytes
2008-03-01 17:11 . 2008-03-01 17:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Malwarebytes
2008-02-28 22:42 . 2008-02-28 22:42 <DIR> d-------- C:\Programmi\Trend Micro
2008-02-28 14:38 . 2008-02-28 14:37 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-28 14:38 . 2008-02-28 14:38 2,552 --a------ C:\WINDOWS\unins000.dat
2008-02-28 14:34 . 2008-02-28 14:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Spybot - Search & Destroy
2008-02-28 14:20 . 2008-02-28 14:21 <DIR> d-------- C:\Programmi\Microsoft Silverlight
2008-02-20 14:33 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-19 21:25 . 2008-02-19 21:25 <DIR> d-------- C:\WINDOWS\Sun
2008-02-19 21:23 . 2008-02-20 14:33 <DIR> d-------- C:\Programmi\Java
2008-02-19 21:23 . 2008-02-19 21:23 <DIR> d-------- C:\Programmi\File comuni\Java
2008-02-10 21:22 . 2008-02-14 00:05 <DIR> d-------- C:\TEMP_x
2008-02-09 14:16 . 2008-02-09 14:16 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\Yahoo!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 19:46 --------- d-----w C:\Programmi\VCOM
2008-03-06 19:16 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\Skype
2008-03-04 13:35 --------- d---a-w C:\DOCUME~1\ALLUSE~1\DATIAP~1\TEMP
2008-02-21 22:19 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\U3
2008-02-21 13:16 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-31 18:15 29,600 ----a-w C:\WINDOWS\system32\mxntdfg.exe
2008-01-19 10:50 --------- d-----w C:\Documents and Settings\Dominik\Dati applicazioni\Avanquest
2008-01-19 10:27 --------- d-----w C:\Documents and Settings\Guest\Dati applicazioni\Avanquest
2007-12-16 19:55 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2007-12-07 02:04 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-08-22 19:11 92,064 ----a-w C:\Documents and Settings\Proprietario\mqdmmdm.sys
2007-08-22 19:11 9,232 ----a-w C:\Documents and Settings\Proprietario\mqdmmdfl.sys
2007-08-22 19:11 79,328 ----a-w C:\Documents and Settings\Proprietario\mqdmserd.sys
2007-08-22 19:11 66,656 ----a-w C:\Documents and Settings\Proprietario\mqdmbus.sys
2007-08-22 19:11 6,208 ----a-w C:\Documents and Settings\Proprietario\mqdmcmnt.sys
2007-08-22 19:11 5,936 ----a-w C:\Documents and Settings\Proprietario\mqdmwhnt.sys
2007-08-22 19:11 4,048 ----a-w C:\Documents and Settings\Proprietario\mqdmcr.sys
2007-08-22 19:11 25,600 ----a-w C:\Documents and Settings\Proprietario\usbsermptxp.sys
2007-08-22 19:11 22,768 ----a-w C:\Documents and Settings\Proprietario\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.52.41, on 06.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Programmi\Microsoft LifeCam\MSCamS32.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\MXTask.exe
C:\PROGRA~1\VCOM\mxtask.exe
C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS\vVX1000.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\varie\viamichelin\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\VIA\RAID\raid_tool.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\varie\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\VCOM\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Varie\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Call HoverToCall class - {7E853D72-626A-48EC-A868-BA8D5E23E045} - C:\Programmi\Windows Live\Messenger\HTC.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Programmi\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\MemCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\varie\viamichelin\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Clean Traces - C:\Varie\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Varie\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Varie\DAP\dapextie2.htm
O8 - Extra context menu item: Linked Ima&ges - C:\varie\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\varie\viamichelin\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Linked Images - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\varie\IEimage\IEimage.htm
O9 - Extra 'Tools' menuitem: Linked Ima&ges - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\varie\IEimage\IEimage.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Varie\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Varie\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164225271765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\VCOM\MXTask.exe
--
End of file - 6677 bytes
Hello,
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken