PDA

View Full Version : Virtumondo HELP!



caramello
2008-11-09, 14:22
Hi everybody,

I kindly ask your help to remove this Virtumondo trojan:sad:: following the Kaspersky scan done yesterday and Hijackthis log done now.
Thanks in advance!

Saturday, November 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 08, 2008 15:35:47
Records in database: 1374536
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
F:\
Scan statistics
Files scanned 6054
Threat name 2
Infected objects 34
Suspicious objects 0
Duration of the scan 00:02:34

File name Threat name Threats count
C:\WINDOWS\system32\eoguee.dll/C:\WINDOWS\system32\eoguee.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.esn 25
C:\WINDOWS\system32\ssqQkIBt.dll/C:\WINDOWS\system32\ssqQkIBt.dll Infected: Trojan.Win32.Monderb.wji 3
C:\WINDOWS\System32\eoguee.dll/C:\WINDOWS\System32\eoguee.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.esn 6

-------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.19.47, on 09/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\PHD\3G HSDPA Wireless Modem MD-@\WirelessCard.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonicfoundry.com/productinfo.asp?Place=Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: www.contentcooler.biz
O15 - Trusted Zone: www.new-access.biz
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213678039757
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223657055209
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9DE2346-A94D-46CD-A88A-5D4D4EB45C27}: NameServer = 62.13.171.4 62.13.171.5
O20 - AppInit_DLLs: eoguee.dll
O22 - SharedTaskScheduler: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - (no file)
O22 - SharedTaskScheduler: (no name) - {F0C8173F-BC0E-4a06-ABA9-DB5A3E1FDA89} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6891 bytes

Blade81
2008-11-10, 00:03
Hi caramello :)

Navigate into C:\Programmi\Trend Micro\HijackThis folder and rename HijackThis.exe file -> something.exe. Post a fresh hjt log after renaming is done.

caramello
2008-11-10, 14:00
Dear Blade81,

First of all thank you for your help: I appreciate very much your assistance:).
The second one is... sorry for my bad english:oops:!

I want to tell you that yesterday afternoon I installed and run MalawareBytes: it founds and removes a lot of threats (more than 30), but when after I tried to re-scan the PC with Spybot, only one "Virtumondo" trojan (not 2 as before) have been found.

Following the fresh new log as requested.
Thank you one more time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.45.19, on 10/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\PHD\3G HSDPA Wireless Modem MD-@\WirelessCard.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonicfoundry.com/productinfo.asp?Place=Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {11FB183B-27C0-492B-BDD4-B37C3ECCA5E7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {714cf192-f0d2-4218-8782-fc4c8e9c0829} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {DD153FDB-E2FB-40D2-8E36-F21C36B51DAD} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: www.contentcooler.biz
O15 - Trusted Zone: www.new-access.biz
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213678039757
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223657055209
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9DE2346-A94D-46CD-A88A-5D4D4EB45C27}: NameServer = 62.13.171.4 62.13.171.5
O20 - AppInit_DLLs: nwdclh.dll
O20 - Winlogon Notify: ssqQkIBt - C:\WINDOWS\
O22 - SharedTaskScheduler: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - (no file)
O22 - SharedTaskScheduler: (no name) - {F0C8173F-BC0E-4a06-ABA9-DB5A3E1FDA89} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7792 bytes

caramello
2008-11-10, 14:48
Dear Blade81,

I tried few minutes ago one more scan using Spybot: no threats have been found:):):)!
The computer speed increase up to 50%.
No strange 'dialer' windows appear on the screen as before.
Do you think am I really clean now?

Thank you, for your assistance.
Ciao.

Blade81
2008-11-10, 17:31
Hi

According to hjt log there's still some stuff left that's not necessarily detected by Spybot.

Do you happen to have Malwarebytes' Anti-Malware report available? If you do, post it please.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

caramello
2008-11-10, 20:20
Following the two logs:

ComboFix 08-11-09.04 - admin 2008-11-10 19.05.32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.432 [GMT 1:00]
Eseguito da: c:\documents and settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Creati Da 2008-10-10 al 2008-11-10 )))))))))))))))))))))))))))))))))))
.

2008-11-09 17:08 . 2008-11-09 17:08 <DIR> d-------- c:\documents and settings\admin\Dati applicazioni\Malwarebytes
2008-11-09 17:07 . 2008-11-09 17:08 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-11-09 17:07 . 2008-11-09 17:07 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-11-09 17:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 17:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 17:36 . 2008-11-08 17:36 <DIR> d-------- c:\programmi\Trend Micro
2008-11-08 11:37 . 2008-11-08 11:37 94 --a------ c:\windows\wininit.ini
2008-11-08 10:45 . 2008-11-08 12:36 <DIR> d-------- c:\programmi\Spybot - Search & Destroy
2008-11-08 10:45 . 2008-11-10 18:56 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-27 18:36 . 2008-10-27 18:36 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-27 18:36 . 2008-10-27 18:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-24 16:58 . 2008-10-24 16:58 <DIR> d-------- c:\programmi\ESET
2008-10-24 16:58 . 2008-10-24 16:58 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\ESET
2008-10-24 16:47 . 2008-10-24 16:47 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Avg8
2008-10-24 16:29 . 2008-10-15 17:36 337,408 --a------ c:\windows\system32\dllcache\netapi32.dll
2008-10-24 16:21 . 2008-08-14 14:22 2,192,896 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,148,864 --a------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,069,760 --a------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,027,520 --a------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-24 16:21 . 2008-09-08 11:41 333,824 --a------ c:\windows\system32\dllcache\srv.sys
2008-10-24 16:20 . 2008-09-15 16:24 1,846,400 --a------ c:\windows\system32\dllcache\win32k.sys
2008-10-10 19:19 . 2008-10-10 19:19 <DIR> d-------- c:\documents and settings\admin\Dati applicazioni\Windows Search
2008-10-10 18:58 . 2008-10-24 16:41 <DIR> d-------- c:\programmi\Microsoft Silverlight
2008-10-10 18:55 . 2008-10-10 18:55 <DIR> d-------- c:\documents and settings\admin\Dati applicazioni\Windows Desktop Search
2008-10-10 18:54 . 2008-10-10 18:54 <DIR> d-------- c:\windows\system32\GroupPolicy
2008-10-10 18:54 . 2008-10-10 18:54 <DIR> d-------- c:\programmi\Windows Desktop Search
2008-10-10 18:53 . 2008-10-10 18:53 <DIR> d-------- c:\programmi\MSXML 4.0
2008-10-10 18:53 . 2008-03-07 18:02 192,000 --a------ c:\windows\system32\dllcache\offfilt.dll
2008-10-10 18:53 . 2008-03-07 18:02 98,304 --a------ c:\windows\system32\dllcache\nlhtml.dll
2008-10-10 18:53 . 2008-03-07 18:02 29,696 --a------ c:\windows\system32\dllcache\mimefilt.dll
2008-10-10 18:40 . 2008-10-10 18:40 <DIR> d-------- c:\programmi\Windows Media Connect 2
2008-10-10 18:37 . 2008-10-10 18:37 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-10 18:37 . 2008-10-10 18:38 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-10 18:32 . 2008-10-10 18:32 <DIR> d-------- c:\windows\system32\URTTEMP
2008-10-10 18:21 . 2008-05-01 15:34 331,776 --a------ c:\windows\system32\dllcache\msadce.dll
2008-10-10 18:18 . 2008-04-11 20:04 691,712 --a------ c:\windows\system32\dllcache\inetcomm.dll
2008-10-10 18:14 . 2008-06-14 18:32 272,768 --a------ c:\windows\system32\dllcache\bthport.sys
2008-10-10 18:12 . 2008-05-08 15:02 203,136 --a------ c:\windows\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 17:36 --------- d-----w c:\programmi\Java
2008-10-19 19:08 --------- d-----w c:\documents and settings\admin\Dati applicazioni\Roxio
2008-10-06 16:20 --------- d-----w c:\programmi\iTunes
2008-10-06 16:20 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 16:19 --------- d-----w c:\programmi\iPod
2008-10-03 18:44 761,856 ----a-w c:\windows\system32\CDDBUIRoxio.dll
2008-10-03 18:44 589,824 ----a-w c:\windows\system32\CDDBControlRoxio.dll
2008-10-03 18:44 --------- d-----w c:\programmi\File comuni\Roxio Shared
2008-10-03 18:43 66,992 ----a-w c:\windows\system32\drivers\cdr4_xp.sys
2008-10-03 18:43 61,440 ----a-w c:\windows\system32\cdrtc.dll
2008-10-03 18:43 45,056 ----a-w c:\windows\system32\cdral.dll
2008-10-03 18:43 24,698 ----a-w c:\windows\system32\drivers\cdralw2k.sys
2008-10-03 16:58 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 11:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-29 16:11 --------- d-----w c:\programmi\Bonjour
2008-09-29 16:10 --------- d-----w c:\programmi\QuickTime
2008-09-29 16:08 --------- d-----w c:\programmi\File comuni\Apple
2008-09-29 16:05 --------- d-----w c:\programmi\Apple Software Update
2008-09-15 15:24 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-05 21:30 952,360 ----a-w c:\windows\system32\dllcache\WgaTray.exe
2008-09-05 21:30 267,304 ----a-w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 20:16 1,900,544 ----a-w c:\windows\system32\usbaaplrc.dll
2008-09-03 16:34 304,160 ----a-w C:\PA207.DAT
2008-08-29 08:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 07:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-27 08:57 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:39 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 08:38 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 05:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 13:22 2,192,896 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:22 2,069,760 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 10:04 138,496 ----a-w c:\windows\system32\dllcache\afd.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-10_18.44.11,81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-10 18:01:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_744.dat
+ 2008-11-10 18:02:36 16,384 ----atw c:\windows\Temp\usgthrsvc\Perflib_Perfdata_7d4.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]
"LWBMOUSE"="c:\programmi\Trust\250S Series\lwbwheel.exe" [2001-04-20 429568]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVD.exe" [2004-03-21 186880]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 1410304]
"CARPService"="carpserv.exe" [2003-04-15 c:\windows\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQkIBt]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nwdclh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= rddv1009.dll
"midi2"= rddv1009.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD05"=c:\programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" -atboottime
"Cpqset"=c:\programmi\HPQ\Default Settings\cpqset.exe
"ATIPTA"=c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Display Settings"=c:\programmi\HPQ\Notebook Utilities\hptasks.exe /s
"HP Software Update"="c:\programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
"RoxioEngineUtility"="c:\programmi\File comuni\Roxio Shared\System\EngUtil.exe"
"AppleSyncNotifier"=c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe"
"Gene USB Monitor"=c:\windows\system32\UMonit2K.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\iPhone Tunnel Suite\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\BeatPack\\BeatPack.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule_TCP_Port
"4672:UDP"= 4672:UDP:eMule_UDP_Port
"17496:TCP"= 17496:TCP:utorrent
"17496:UDP"= 17496:UDP:utorrent_udp

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-10-25 30728]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\DRIVERS\aliirda.sys [2003-07-10 26112]
R3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys [2006-12-20 94848]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-02-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-02-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\DP83815.SYS [2003-07-17 28280]
R4 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [2001-03-29 279209]
S3 dcpusb;USB serial driver for Philips Fisio GPRS;c:\windows\system32\DRIVERS\dcpusb.sys [2003-04-07 62789]
S3 PAC207;PC Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2007-05-29 508160]
S3 RD1009;Roland UM-1 USB Driver;c:\windows\system32\Drivers\rdwm1009.sys [2000-11-27 42860]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-05-03 354560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b0507b1-0e37-11dd-8d49-000f2022e585}]
\Shell\AutoRun\command - G:\setup.exe
.
Contenuto della cartella 'Scheduled Tasks'

2008-11-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\programmi\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

2004-04-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\programmi\Symantec\LiveUpdate\NDETECT.EXE [2002-08-22 09:27]

2008-11-10 c:\windows\Tasks\Verifica e correzione automatica.job
- c:\programmi\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-21 11:05]
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{11FB183B-27C0-492B-BDD4-B37C3ECCA5E7} - (no file)
BHO-{714cf192-f0d2-4218-8782-fc4c8e9c0829} - (no file)


.
------- Supplementare di scansione -------
.
FireFox -: Profile - c:\documents and settings\admin\Dati applicazioni\Mozilla\Firefox\Profiles\8ntnlxaz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.it
FF -: plugin - c:\programmi\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF -: plugin - c:\programmi\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\programmi\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\programmi\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\programmi\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\programmi\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\programmi\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************
.
Ora fine scansione: 2008-11-10 19.09.07
ComboFix-quarantined-files.txt 2008-11-10 18:09:03
ComboFix2.txt 2008-11-10 17:58:49
ComboFix3.txt 2008-11-10 17:44:37

Pre-Run: 23.338.160.128 byte disponibili
Post-Run: 23,324,532,736 byte disponibili

211


--------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.19.28, on 10/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\PHD\3G HSDPA Wireless Modem MD-@\WirelessCard.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonicfoundry.com/productinfo.asp?Place=Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {11FB183B-27C0-492B-BDD4-B37C3ECCA5E7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {714cf192-f0d2-4218-8782-fc4c8e9c0829} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {DD153FDB-E2FB-40D2-8E36-F21C36B51DAD} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: www.contentcooler.biz
O15 - Trusted Zone: www.new-access.biz
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213678039757
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223657055209
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9DE2346-A94D-46CD-A88A-5D4D4EB45C27}: NameServer = 62.13.171.4 62.13.171.5
O20 - AppInit_DLLs: nwdclh.dll
O20 - Winlogon Notify: ssqQkIBt - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7321 bytes

Blade81
2008-11-11, 13:50
Hi

Please disable TeaTimer and run resetTeaTimer batch file as instructed or we won't get any further here. TeaTimer prevents fixes from fully working.


After that make sure your antivirus program is disabled and run ComboFix again. Post back its report & a fresh hjt log.

caramello
2008-11-11, 18:04
Dear Blade81,

sorry for the my wrongly procedure, but I have a problem: if I click your link to download reset tea timer.bat, it appear immediatily the following screen (no files to download, only text...). What can I have to do?

Thanks for your patience!



@echo off
:: Edited 9:48 AM 9/21/2007
:: s!ri thanks for sharing your script
:: Please do not mirror this batch
if [%OS%]==[Windows_NT] set path=%windir%;%SystemRoot%\system32

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
Echo.
Echo SpyBot and Tea Timer must be closed!! & pause
Echo.
CScript /?>nul 2>&1 && echo/Check OK>log1.txt || echo/Windows Script Host access is disabled on this machine. >log2.txt
if exist log1.txt goto continue

echo Post this in the forum please.>>log2.txt & start notepad log2.txt & exit

:continue
if exist log1.txt del log1.txt

echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath ^& "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath ^& "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


(@echo off
del /q %CommonAppData%\spybot~1\Snapshots\*.*
del /q %CommonAppData%\spybot~1\Snapshots2\*.*
del /q %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del /q %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del /q %CommonAppData%\spybot~1\logs\resident.log
)>NUL 2>&1
Echo.
Echo Finished & pause & exit

:win
Echo.
Echo SpyBot and Tea Timer must be closed!!
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat




deltree /y %AppData%\spybot~1\snapshots\*.*
deltree /y %AppData%\spybot~1\Snapshots2\*.*
del %AppData%\spybot~1\logs\resident.log
del %AppData%\spybot~1\excludes\ProcBlack.sbe
del %AppData%\spybot~1\excludes\ProcWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyBlack.sbe
del %AppData%\spybot~1\excludes\UpdateDL.sbe
cls
Echo.
Echo Finished
exit



:winme
Echo.
Echo SpyBot and Tea Timer must be closed!!
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


del /y %CommonAppData%\spybot~1\snapshots\*.*
del /y %CommonAppData%\spybot~1\snapshots2\*.*
del %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del %CommonAppData%\spybot~1\logs\resident.log
cls
Echo.
Echo Finished
exit

:last
echo Press any key to exit,..
pause
exit

Blade81
2008-11-11, 19:02
Hi

Right click over the resetTeaTimer.bat link and save to your desktop to get batch file downloaded :)

caramello
2008-11-11, 19:33
Hi Blade81,

Tea Timer disabled and resetted.
I apologize one more time for my fault.


Following the two requested fresh logs:

ComboFix 08-11-09.04 - admin 2008-11-11 18.21.24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.426 [GMT 1:00]
Eseguito da: c:\documents and settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Creati Da 2008-10-11 al 2008-11-11 )))))))))))))))))))))))))))))))))))
.

2008-11-09 17:08 . 2008-11-09 17:08 <DIR> d-------- c:\documents and settings\admin\Dati applicazioni\Malwarebytes
2008-11-09 17:07 . 2008-11-09 17:08 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-11-09 17:07 . 2008-11-09 17:07 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-11-09 17:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 17:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 17:36 . 2008-11-08 17:36 <DIR> d-------- c:\programmi\Trend Micro
2008-11-08 11:37 . 2008-11-08 11:37 94 --a------ c:\windows\wininit.ini
2008-11-08 10:45 . 2008-11-08 12:36 <DIR> d-------- c:\programmi\Spybot - Search & Destroy
2008-11-08 10:45 . 2008-11-10 21:24 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-27 18:36 . 2008-10-27 18:36 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-27 18:36 . 2008-10-27 18:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-24 16:58 . 2008-10-24 16:58 <DIR> d-------- c:\programmi\ESET
2008-10-24 16:58 . 2008-10-24 16:58 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\ESET
2008-10-24 16:47 . 2008-10-24 16:47 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Avg8
2008-10-24 16:29 . 2008-10-15 17:36 337,408 --a------ c:\windows\system32\dllcache\netapi32.dll
2008-10-24 16:21 . 2008-08-14 14:22 2,192,896 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,148,864 --a------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,069,760 --a------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,027,520 --a------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-24 16:21 . 2008-09-08 11:41 333,824 --a------ c:\windows\system32\dllcache\srv.sys
2008-10-24 16:20 . 2008-09-15 16:24 1,846,400 --a------ c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 17:36 --------- d-----w c:\programmi\Java
2008-10-24 15:41 --------- d-----w c:\programmi\Microsoft Silverlight
2008-10-19 19:08 --------- d-----w c:\documents and settings\admin\Dati applicazioni\Roxio
2008-10-10 18:19 --------- d-----w c:\documents and settings\admin\Dati applicazioni\Windows Search
2008-10-10 17:55 --------- d-----w c:\documents and settings\admin\Dati applicazioni\Windows Desktop Search
2008-10-10 17:54 --------- d-----w c:\programmi\Windows Desktop Search
2008-10-10 17:53 --------- d-----w c:\programmi\MSXML 4.0
2008-10-10 17:40 --------- d-----w c:\programmi\Windows Media Connect 2
2008-10-06 16:20 --------- d-----w c:\programmi\iTunes
2008-10-06 16:20 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 16:19 --------- d-----w c:\programmi\iPod
2008-10-03 18:44 761,856 ----a-w c:\windows\system32\CDDBUIRoxio.dll
2008-10-03 18:44 589,824 ----a-w c:\windows\system32\CDDBControlRoxio.dll
2008-10-03 18:44 --------- d-----w c:\programmi\File comuni\Roxio Shared
2008-10-03 18:43 66,992 ----a-w c:\windows\system32\drivers\cdr4_xp.sys
2008-10-03 18:43 61,440 ----a-w c:\windows\system32\cdrtc.dll
2008-10-03 18:43 45,056 ----a-w c:\windows\system32\cdral.dll
2008-10-03 18:43 24,698 ----a-w c:\windows\system32\drivers\cdralw2k.sys
2008-10-03 16:58 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 11:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-29 16:11 --------- d-----w c:\programmi\Bonjour
2008-09-29 16:10 --------- d-----w c:\programmi\QuickTime
2008-09-29 16:08 --------- d-----w c:\programmi\File comuni\Apple
2008-09-29 16:05 --------- d-----w c:\programmi\Apple Software Update
2008-09-15 15:24 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-05 21:30 952,360 ----a-w c:\windows\system32\dllcache\WgaTray.exe
2008-09-05 21:30 267,304 ----a-w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 20:16 1,900,544 ----a-w c:\windows\system32\usbaaplrc.dll
2008-09-03 16:34 304,160 ----a-w C:\PA207.DAT
2008-08-29 08:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 07:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-27 08:57 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:39 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 08:38 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 05:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 13:22 2,192,896 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:22 2,069,760 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 10:04 138,496 ----a-w c:\windows\system32\dllcache\afd.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-10_18.44.11,81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-11 17:18:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_710.dat
+ 2008-11-11 17:18:49 16,384 ----atw c:\windows\Temp\usgthrsvc\Perflib_Perfdata_7cc.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]
"LWBMOUSE"="c:\programmi\Trust\250S Series\lwbwheel.exe" [2001-04-20 429568]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVD.exe" [2004-03-21 186880]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 1410304]
"CARPService"="carpserv.exe" [2003-04-15 c:\windows\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQkIBt]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nwdclh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= rddv1009.dll
"midi2"= rddv1009.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD05"=c:\programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" -atboottime
"Cpqset"=c:\programmi\HPQ\Default Settings\cpqset.exe
"ATIPTA"=c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Display Settings"=c:\programmi\HPQ\Notebook Utilities\hptasks.exe /s
"HP Software Update"="c:\programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
"RoxioEngineUtility"="c:\programmi\File comuni\Roxio Shared\System\EngUtil.exe"
"AppleSyncNotifier"=c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe"
"Gene USB Monitor"=c:\windows\system32\UMonit2K.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\iPhone Tunnel Suite\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\BeatPack\\BeatPack.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule_TCP_Port
"4672:UDP"= 4672:UDP:eMule_UDP_Port
"17496:TCP"= 17496:TCP:utorrent
"17496:UDP"= 17496:UDP:utorrent_udp

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-10-25 30728]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\DRIVERS\aliirda.sys [2003-07-10 26112]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-02-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-02-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\DP83815.SYS [2003-07-17 28280]
R4 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [2001-03-29 279209]
S3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys [2006-12-20 94848]
S3 dcpusb;USB serial driver for Philips Fisio GPRS;c:\windows\system32\DRIVERS\dcpusb.sys [2003-04-07 62789]
S3 PAC207;PC Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2007-05-29 508160]
S3 RD1009;Roland UM-1 USB Driver;c:\windows\system32\Drivers\rdwm1009.sys [2000-11-27 42860]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-05-03 354560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b0507b1-0e37-11dd-8d49-000f2022e585}]
\Shell\AutoRun\command - G:\setup.exe
.
Contenuto della cartella 'Scheduled Tasks'

2008-11-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\programmi\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

2004-04-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\programmi\Symantec\LiveUpdate\NDETECT.EXE [2002-08-22 09:27]

2008-11-11 c:\windows\Tasks\Verifica e correzione automatica.job
- c:\programmi\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-21 11:05]
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{11FB183B-27C0-492B-BDD4-B37C3ECCA5E7} - (no file)
BHO-{714cf192-f0d2-4218-8782-fc4c8e9c0829} - (no file)


.
------- Supplementare di scansione -------
.
FireFox -: Profile - c:\documents and settings\admin\Dati applicazioni\Mozilla\Firefox\Profiles\8ntnlxaz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.it
FF -: plugin - c:\programmi\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF -: plugin - c:\programmi\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\programmi\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\programmi\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\programmi\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\programmi\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\programmi\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************
.
Ora fine scansione: 2008-11-11 18.25.04
ComboFix-quarantined-files.txt 2008-11-11 17:24:59
ComboFix2.txt 2008-11-10 18:09:08
ComboFix3.txt 2008-11-10 17:58:49
ComboFix4.txt 2008-11-10 17:44:37

Pre-Run: 24.106.438.656 byte disponibili
Post-Run: 24,093,741,056 byte disponibili

200



------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.26.46, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programmi\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonicfoundry.com/productinfo.asp?Place=Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: www.contentcooler.biz
O15 - Trusted Zone: www.new-access.biz
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213678039757
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223657055209
O20 - AppInit_DLLs: nwdclh.dll
O20 - Winlogon Notify: ssqQkIBt - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6808 bytes

Blade81
2008-11-11, 19:47
No harm done :)


Let's continue cleaning process.


Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Close browsers and fix checked.


Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).


Open notepad and copy/paste the text in the quotebox below into it:



Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQkIBt]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"=-
"4672:UDP"=-
"17496:TCP"=-
"17496:UDP"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

caramello
2008-11-12, 05:01
Hi, all stuff done without problems.

Following the three requested logs:

ComboFix 08-11-09.04 - admin 2008-11-11 19.21.42.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.376 [GMT 1:00]
Eseguito da: c:\documents and settings\admin\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\admin\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((( Files Creati Da 2008-10-11 al 2008-11-11 )))))))))))))))))))))))))))))))))))
.

2008-11-11 19:12 . 2008-11-11 19:12 <DIR> d-------- c:\programmi\File comuni\Adobe AIR
2008-11-09 17:08 . 2008-11-09 17:08 <DIR> d-------- c:\documents and settings\admin\Dati applicazioni\Malwarebytes
2008-11-09 17:07 . 2008-11-09 17:08 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-11-09 17:07 . 2008-11-09 17:07 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-11-09 17:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 17:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 17:36 . 2008-11-08 17:36 <DIR> d-------- c:\programmi\Trend Micro
2008-11-08 11:37 . 2008-11-08 11:37 94 --a------ c:\windows\wininit.ini
2008-11-08 10:45 . 2008-11-08 12:36 <DIR> d-------- c:\programmi\Spybot - Search & Destroy
2008-11-08 10:45 . 2008-11-10 21:24 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-27 18:36 . 2008-10-27 18:36 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-27 18:36 . 2008-10-27 18:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-24 16:58 . 2008-10-24 16:58 <DIR> d-------- c:\programmi\ESET
2008-10-24 16:58 . 2008-10-24 16:58 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\ESET
2008-10-24 16:47 . 2008-10-24 16:47 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Avg8
2008-10-24 16:29 . 2008-10-15 17:36 337,408 --a------ c:\windows\system32\dllcache\netapi32.dll
2008-10-24 16:21 . 2008-08-14 14:22 2,192,896 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,148,864 --a------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,069,760 --a------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-24 16:21 . 2008-08-14 14:22 2,027,520 --a------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-24 16:21 . 2008-09-08 11:41 333,824 --a------ c:\windows\system32\dllcache\srv.sys
2008-10-24 16:20 . 2008-09-15 16:24 1,846,400 --a------ c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 18:10 --------- d-----w c:\programmi\File comuni\Adobe
2008-10-27 17:36 --------- d-----w c:\programmi\Java
2008-10-24 15:41 --------- d-----w c:\programmi\Microsoft Silverlight
2008-10-19 19:08 --------- d-----w c:\documents and settings\admin\Dati applicazioni\Roxio
2008-10-10 18:19 --------- d-----w c:\documents and settings\admin\Dati applicazioni\Windows Search
2008-10-10 17:55 --------- d-----w c:\documents and settings\admin\Dati applicazioni\Windows Desktop Search
2008-10-10 17:54 --------- d-----w c:\programmi\Windows Desktop Search
2008-10-10 17:53 --------- d-----w c:\programmi\MSXML 4.0
2008-10-10 17:40 --------- d-----w c:\programmi\Windows Media Connect 2
2008-10-06 16:20 --------- d-----w c:\programmi\iTunes
2008-10-06 16:20 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 16:19 --------- d-----w c:\programmi\iPod
2008-10-03 18:44 761,856 ----a-w c:\windows\system32\CDDBUIRoxio.dll
2008-10-03 18:44 589,824 ----a-w c:\windows\system32\CDDBControlRoxio.dll
2008-10-03 18:44 --------- d-----w c:\programmi\File comuni\Roxio Shared
2008-10-03 18:43 66,992 ----a-w c:\windows\system32\drivers\cdr4_xp.sys
2008-10-03 18:43 61,440 ----a-w c:\windows\system32\cdrtc.dll
2008-10-03 18:43 45,056 ----a-w c:\windows\system32\cdral.dll
2008-10-03 18:43 24,698 ----a-w c:\windows\system32\drivers\cdralw2k.sys
2008-10-03 16:58 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 11:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-29 16:11 --------- d-----w c:\programmi\Bonjour
2008-09-29 16:10 --------- d-----w c:\programmi\QuickTime
2008-09-29 16:08 --------- d-----w c:\programmi\File comuni\Apple
2008-09-29 16:05 --------- d-----w c:\programmi\Apple Software Update
2008-09-15 15:24 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-05 21:30 952,360 ----a-w c:\windows\system32\dllcache\WgaTray.exe
2008-09-05 21:30 267,304 ----a-w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 20:16 1,900,544 ----a-w c:\windows\system32\usbaaplrc.dll
2008-09-03 16:34 304,160 ----a-w C:\PA207.DAT
2008-08-29 08:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 07:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-27 08:57 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:39 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 08:38 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 05:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 13:22 2,192,896 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:22 2,069,760 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 10:04 138,496 ----a-w c:\windows\system32\dllcache\afd.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-10_18.44.11,81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 14:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-11-11 17:18:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_710.dat
+ 2008-11-11 17:18:49 16,384 ----atw c:\windows\Temp\usgthrsvc\Perflib_Perfdata_7cc.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]
"LWBMOUSE"="c:\programmi\Trust\250S Series\lwbwheel.exe" [2001-04-20 429568]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVD.exe" [2004-03-21 186880]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 1410304]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"CARPService"="carpserv.exe" [2003-04-15 c:\windows\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= rddv1009.dll
"midi2"= rddv1009.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD05"=c:\programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" -atboottime
"Cpqset"=c:\programmi\HPQ\Default Settings\cpqset.exe
"ATIPTA"=c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Display Settings"=c:\programmi\HPQ\Notebook Utilities\hptasks.exe /s
"HP Software Update"="c:\programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
"RoxioEngineUtility"="c:\programmi\File comuni\Roxio Shared\System\EngUtil.exe"
"AppleSyncNotifier"=c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe"
"Gene USB Monitor"=c:\windows\system32\UMonit2K.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\iPhone Tunnel Suite\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\BeatPack\\BeatPack.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-10-25 30728]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\DRIVERS\aliirda.sys [2003-07-10 26112]
R3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys [2006-12-20 94848]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-02-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-02-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\DP83815.SYS [2003-07-17 28280]
R4 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [2001-03-29 279209]
S3 dcpusb;USB serial driver for Philips Fisio GPRS;c:\windows\system32\DRIVERS\dcpusb.sys [2003-04-07 62789]
S3 PAC207;PC Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2007-05-29 508160]
S3 RD1009;Roland UM-1 USB Driver;c:\windows\system32\Drivers\rdwm1009.sys [2000-11-27 42860]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-05-03 354560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b0507b1-0e37-11dd-8d49-000f2022e585}]
\Shell\AutoRun\command - G:\setup.exe

*Newly Created Service* - CATCHME
.
Contenuto della cartella 'Scheduled Tasks'

2008-11-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\programmi\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

2004-04-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\programmi\Symantec\LiveUpdate\NDETECT.EXE [2002-08-22 09:27]

2008-11-11 c:\windows\Tasks\Verifica e correzione automatica.job
- c:\programmi\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-21 11:05]
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************
.
Ora fine scansione: 2008-11-11 19.24.35
ComboFix-quarantined-files.txt 2008-11-11 18:24:31
ComboFix2.txt 2008-11-11 17:25:05
ComboFix3.txt 2008-11-10 18:09:08
ComboFix4.txt 2008-11-10 17:58:49
ComboFix5.txt 2008-11-11 18:21:08

Pre-Run: 23.793.131.520 byte disponibili
Post-Run: 23,779,508,224 byte disponibili

182


--------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 11, 2008 16:34:40
Records in database: 1380075
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\

Scan statistics:
Files scanned: 80940
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 04:23:52


File name / Threat name / Threats count
F:\PROGRAMMI\Cute Ftp professional.rar Infected: Trojan-Downloader.Win32.Zlob.abki 1
F:\PROGRAMMI\RockXP4.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 2
F:\PROGRAMMI\RockXP4.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 1

The selected area was scanned.


----------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3.55.34, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Programmi\PHD\3G HSDPA Wireless Modem MD-@\WirelessCard.exe
C:\Programmi\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonicfoundry.com/productinfo.asp?Place=Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: www.contentcooler.biz
O15 - Trusted Zone: www.new-access.biz
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213678039757
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223657055209
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9DE2346-A94D-46CD-A88A-5D4D4EB45C27}: NameServer = 62.13.171.4 62.13.171.5
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6870 bytes

Blade81
2008-11-12, 08:09
Hi :)

Delete following files if found:
F:\PROGRAMMI\Cute Ftp professional.rar
F:\PROGRAMMI\RockXP4.exe

Post a fresh hjt log. How's the system running?

caramello
2008-11-12, 13:55
Dear Blade81,

the 2 files have been found an deleted.
I ran also ATF Cleaner after deletion.

My PC is now more faster than when I bought it!
Everything run very well, absolutely no problem at the moment!

One question: unfortunatly I ran the rockXP4 on my wife pc after one recently formatting (because of saving XP activation back up file ). Do you think I have to also check it?

Thanks!

Following the fresh HJT log (of my computer):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.52.52, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmi\PHD\3G HSDPA Wireless Modem MD-@\WirelessCard.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonicfoundry.com/productinfo.asp?Place=Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: www.contentcooler.biz
O15 - Trusted Zone: www.new-access.biz
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213678039757
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223657055209
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9DE2346-A94D-46CD-A88A-5D4D4EB45C27}: NameServer = 62.13.171.4 62.13.171.5
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6947 bytes

Blade81
2008-11-12, 14:26
One question: unfortunatly I ran the rockXP4 on my wife pc after one recently formatting (because of saving XP activation back up file ). Do you think I have to also check it?
Hi

No need to check since that program is only tool (not-a-virus as Kaspersky report stated). I asked you to remove it earlier cos didn't know if it was placed there by yourself.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK




UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one if you don't have a 3rd party firewall.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

caramello
2008-11-12, 21:54
Dear Blade81,

I'm very happy to read this:yahoo:!
I appreciate very much your help, you are a really great expert:bigthumb:!

Currently the system run very well, the speed increase more than 75%, I think.

I'm asking you last questions, because I know you are so kind...:bow:

I bought today with 2 of my friends, Kaspersky Internet Security 2009 (with 3 licence) that contain bi-direction firewall: currently on my PC are installed the following "security" software
-NOD32 obviously to uninstall before Kaspersky installation
-Malawarebytes
-Spybot with TeaTimer that currently run together with NOD32
-Hijackthis

The question is: in your oppinion, using this last Kaspersky, what are the third party free software to install and run simultaneously with it?
Do you think also is better to remove the other software currenly installed?

THANK YOU ONE MORE TIME FOR :cleaning:!!!

Blade81
2008-11-13, 08:14
You're welcome :)


I bought today with 2 of my friends, Kaspersky Internet Security 2009 (with 3 licence) that contain bi-direction firewall: currently on my PC are installed the following "security" software
-NOD32 obviously to uninstall before Kaspersky installation
-Malawarebytes
-Spybot with TeaTimer that currently run together with NOD32
-Hijackthis

The question is: in your oppinion, using this last Kaspersky, what are the third party free software to install and run simultaneously with it?
Do you think also is better to remove the other software currenly installed?
Of those I'd leave Malwarebytes' Anti-Malware and Spybot to run together with KIS 2009. You won't need Hijackthis in normal circumstances.

caramello
2008-11-13, 09:37
Dear Blade81,

Thank you for your answers and for all the stuff done with me.

Ciao!

Blade81
2008-11-13, 12:12
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.