PDA

View Full Version : Help with Virtumonde removal



Lolicon
2008-09-09, 16:25
Hello and thanks for all the help... Spybot S&D is a great piece of software in it's own right.
I'm helping out a friend who has his laptop badly infected with an array of worms and stuff (some of it already, I think, cleaned) but... Virtumonde.dll is giving me a hard time!
I ran HJT and have the log file for it.
I ran ComboFix and have the log file for it as well.
ComboFix, in its "how to", instructs to torn off basically everything, which I did.
A side effect of this is that Symantec AV10 is now impossible to restart.

Thanks for all the help you can provide and greetings from Italy.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.17.29, on 09/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\HPQ\IAM\bin\asghost.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmi\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: wmhakf.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8562 bytes


ComboFix 08-09-05.10 - Nik & Ely 2008-09-09 14.33.57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.152 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Nik & Ely\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\egjcudqv.dll
C:\WINDOWS\system32\fxwauofh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nlegfqwe.ini
C:\WINDOWS\system32\tAHOonmp.ini
C:\WINDOWS\system32\tAHOonmp.ini2
C:\WINDOWS\system32\vqducjge.ini
C:\WINDOWS\system32\vtUooliJ.dll
C:\WINDOWS\system32\wmhakf.dll
C:\WINDOWS\system32\yelberpj.ini

.
((((((((((((((((((((((((( Files Creati Da 2008-08-09 al 2008-09-09 )))))))))))))))))))))))))))))))))))
.

2008-09-09 14:16 . 2008-09-09 14:16 <DIR> d-------- C:\Programmi\Trend Micro
2008-09-09 13:06 . 2008-09-09 13:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-09 08:39 . 2008-09-09 08:39 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\VSRevoGroup
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Risorse di stampa
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Risorse di rete
2008-09-09 01:14 . 2008-09-09 01:15 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Preferiti
2008-09-09 01:14 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Modelli
2008-09-09 01:14 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Menu Avvio
2008-09-09 01:14 . 2008-09-09 10:47 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Impostazioni locali
2008-09-09 01:14 . 2008-09-09 01:15 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Documenti
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d-------- C:\Documents and Settings\Nik & Ely\Dati applicazioni\SampleView
2008-09-09 01:14 . 2008-09-09 14:15 <DIR> dr-h----- C:\Documents and Settings\Nik & Ely\Dati applicazioni
2008-09-09 01:14 . 2008-09-09 01:14 <DIR> d-------- C:\Documents and Settings\Nik & Ely
2008-09-08 22:16 . 2008-09-08 22:19 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-09-08 22:16 . 2008-09-08 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-09-08 22:02 . 2008-09-08 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\VSRevoGroup
2008-09-08 21:57 . 2008-09-08 21:57 <DIR> d-------- C:\Programmi\VS Revo Group
2008-09-08 21:38 . 2008-09-08 21:38 0 --a------ C:\WINDOWS\VPC32.INI
2008-09-08 15:24 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-08 15:24 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-08 15:21 . 2008-09-08 15:27 <DIR> d-------- C:\Programmi\Symantec
2008-09-08 15:19 . 2008-09-09 14:31 <DIR> d-------- C:\Programmi\Symantec AntiVirus
2008-09-08 15:12 . 2008-09-08 15:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\SampleView
2008-09-08 14:44 . 2008-09-08 14:46 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-09-08 14:44 . 2008-09-08 14:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-06 18:36 . 2008-09-06 18:36 322,048 --a------ C:\WINDOWS\system32\pmnoOHAt.dll
2008-09-06 18:30 . 2008-09-06 18:41 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\TmpRecentIcons
2008-09-03 22:12 . 2008-09-03 22:12 268 --ah----- C:\sqmdata18.sqm
2008-09-03 22:12 . 2008-09-03 22:12 244 --ah----- C:\sqmnoopt18.sqm
2008-09-03 16:44 . 2008-09-03 16:44 268 --ah----- C:\sqmdata17.sqm
2008-09-03 16:44 . 2008-09-03 16:44 244 --ah----- C:\sqmnoopt17.sqm
2008-09-03 06:00 . 2008-09-03 06:00 268 --ah----- C:\sqmdata16.sqm
2008-09-03 06:00 . 2008-09-03 06:00 244 --ah----- C:\sqmnoopt16.sqm
2008-08-21 19:35 . 2008-08-21 19:35 <DIR> d-------- C:\Program Files
2008-08-20 11:29 . 2008-09-05 13:06 <DIR> d-------- C:\Programmi\EA GAMES
2008-08-20 11:29 . 2008-03-13 03:10 445,504 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-08-19 18:30 . 2008-08-19 18:30 268 --ah----- C:\sqmdata15.sqm
2008-08-19 18:30 . 2008-08-19 18:30 244 --ah----- C:\sqmnoopt15.sqm
2008-08-19 16:27 . 2008-08-19 17:27 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-08-19 16:27 . 2008-08-19 16:27 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Pogo Games
2008-08-19 16:26 . 2008-08-19 17:50 <DIR> d-------- C:\Programmi\Oberon Media
2008-08-19 10:43 . 2008-08-19 10:43 268 --ah----- C:\sqmdata14.sqm
2008-08-19 10:43 . 2008-08-19 10:43 244 --ah----- C:\sqmnoopt14.sqm
2008-08-18 18:36 . 2008-08-18 18:36 268 --ah----- C:\sqmdata13.sqm
2008-08-18 18:36 . 2008-08-18 18:36 244 --ah----- C:\sqmnoopt13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 10:27 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-09-09 10:27 --------- d-----w C:\Programmi\InterVideo
2008-09-09 10:25 --------- d-----w C:\Programmi\Windows Live Toolbar
2008-09-08 21:57 --------- d-----w C:\Programmi\Java
2008-09-08 13:31 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-09-08 13:19 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-09-08 12:54 --------- d-----w C:\Programmi\Canon
2008-09-08 08:27 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Spyware Terminator
2008-08-07 15:41 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-08-07 15:41 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-08-01 14:04 --------- d-----w C:\Programmi\Netlog Photo Tool
2008-08-01 12:13 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\ArcSoft
2008-07-22 00:01 --------- d-----w C:\Programmi\Ubisoft
2008-07-18 18:38 586,752 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-14 07:36 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-13 23:14 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Thinstall
2008-07-13 14:48 --------- d-----w C:\Programmi\File comuni\Sonic Shared
2008-07-13 14:47 --------- d-----w C:\Programmi\Sonic
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{537C9B85-09E8-4092-BC74-9AC04BF4A1CE}]
2008-09-06 18:36 322048 --a------ C:\WINDOWS\system32\pmnoOHAt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"PTHOSTTR"="C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"HP Software Update"="C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784]
"hpWirelessAssistant"="C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"QlbCtrl"="C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"Cpqset"="C:\Programmi\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"SSBkgdUpdate"="C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2008-05-08 212992]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
BTTray.lnk - C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-02-15 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 20:41 40960 C:\Programmi\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wmhakf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"14845d23"=rundll32.exe "C:\WINDOWS\system32\egjcudqv.dll",b
"WatchDog"=C:\Programmi\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62954:TCP"= 62954:TCP:emule
"56694:UDP"= 56694:UDP:emule

R2 ASChannel;Canale di comunicazione locale;C:\WINDOWS\System32\svchost.exe [2004-08-19 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
- - - - ORFÇOS REMOVIDOS - - - -

BHO-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\vtUooliJ.dll
ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\vtUooliJ.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Nik & Ely\Dati applicazioni\Mozilla\Firefox\Profiles\x6lkhnf5.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 14:39:57
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programmi\HPQ\Default Settings\cpqset.exe?????????? ???@???????????????@??????W??????(?@???????@

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\HPQ\IAM\Bin\asghost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Ora fine scansione: 2008-09-09 14:43:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-09 12:43:11

Pre-Run: 36,411,506,688 byte disponibili
Post-Run: 36,328,189,952 byte disponibili

200 --- E O F --- 2008-08-19 08:11:58

pskelley
2008-09-11, 12:33
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.17.29, on 09/09/2008

ComboFix 08-09-05.10 - Nik & Ely 2008-09-09 14.33.57.1

If you still need help and have read the directions, post a new HJT log created AFTER you ran combofix. Please mention any symptoms and post any error messages word for word.

Thanks

Lolicon
2008-09-11, 23:23
Hello pskelley and thanks for the reply.
I read all the "before you post" before posting and I ran all mentioned programs and... it seems my friend's laptop is back to normal, safe for the CD-ROM/DVD who disappeared this morning from the available devices.
I think this is a hardware problem: basically it broke.
For all the rest the laptop seems running again fine.
No more popups, Windows update not working, fake antivirus programs installed, VIRUS ALERT displayed next to system clock, and other erratic behaviour.
It was tough and long but (I cross my fingers) evrything seems back to normal.

Thanks again for keeping up such a great service. I already donated in the past, but will ask my friend to do it himself as well.

pskelley
2008-09-12, 00:19
Thanks for the feedback...Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html