Help, slow scanning! + Hijackthis log

[UNiVERSE]

---> Hijack This log...

Logfile of HijackThis v1.99.1
Scan saved at 3.00.10, on 23/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Executive Software\Diskeeper\DkService.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Programmi\SpywareGuard\sgmain.exe
C:\Programmi\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\BitTorrent\bittorrent.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Hijackthis 199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UNiVERSE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [LWBMOUSE] C:\PROGRA~2\SCROLL~1\2.2\ARTMOUSE.EXE
O4 - HKCU\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [PCTVRemote] C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKCU\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli" runtime
O4 - HKCU\..\Run: [CnxDslTaskBar] C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKCU\..\Run: [DiskeeperSystray] "C:\Programmi\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programmi\NVIDIA Corporation\nTune\nTune.exe" clear
O4 - HKCU\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Pinnacle Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[LonnyRJones]

Hi UNiVERSE
Do you know at which site it was the problem started ?

Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.

[tashi]

UNiVERSE.
Please do not start new topics in the malware removal forum; please respond to this one.

Thank you.

[UNiVERSE]

I had to divide the post in 2 posts, because there was too many characters. Hijack This log is way too long...

I installed F-Secure Internet Security and uninstalled it, immediately, because it lets windows crash after the restart, without even loading the icons in the systray, just crashed everything after every restart, until I selected windows xp safe mode and removed the application, then everything went like before, except Ad-Aware... I have to reinstall it because F-Secure Internet Security uninstalled it before proceeding with the installation. Did I do anything wrong? How can I install this software without having all this trouble?

[LonnyRJones]

Hi

I didnt suggest installing "F-Secure Internet Security"

[UNiVERSE]

Ops! Sorry... I thought it was part of the F-Secure Internet Security!
I'm going to install it... and will let you know soon, thank you. :o

[UNiVERSE]

Here's the log... those files look very suspicious -____- I can't be sure if they'r associated to applications I use

11/25/05 12:59:55 [Info]: BlackLight Engine 1.0.25 initialized
11/25/05 12:59:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/25/05 12:59:55 [Note]: 4019 4
11/25/05 12:59:55 [Note]: 4005 0
11/25/05 12:59:57 [Note]: 4006 0
11/25/05 12:59:57 [Note]: 4011 1748
11/25/05 12:59:57 [Note]: FSRAW library version 1.7.1013
11/25/05 13:00:52 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
11/25/05 13:00:52 [Note]: 10002 1
11/25/05 13:01:10 [Info]: Hidden file: C:\WINDOWS\system32\favset.exe
11/25/05 13:01:10 [Note]: 10002 1
11/25/05 13:01:14 [Info]: Hidden file: C:\WINDOWS\system32\howiper.exe
11/25/05 13:01:14 [Note]: 10002 1
11/25/05 13:01:15 [Info]: Hidden file: C:\WINDOWS\system32\csnhw.exe
11/25/05 13:01:15 [Note]: 4002 32
11/25/05 13:01:15 [Note]: 4003 1
11/25/05 13:01:15 [Note]: 10002 1
11/25/05 13:01:19 [Info]: Hidden file: C:\WINDOWS\system32\dmbbb.exe
11/25/05 13:01:19 [Note]: 4002 32
11/25/05 13:01:19 [Note]: 4003 1
11/25/05 13:01:19 [Note]: 10002 1
11/25/05 13:01:19 [Info]: Hidden file: C:\WINDOWS\system32\sphlp32.exe
11/25/05 13:01:19 [Note]: 10002 1
11/25/05 13:01:20 [Info]: Hidden file: C:\WINDOWS\system32\pppcgm.exe
11/25/05 13:01:20 [Note]: 10002 1
11/25/05 13:04:47 [Note]: 4007 0

[LonnyRJones]

Hi

Run blacklite again and have it rename all those files except for

C:\WINDOWS\system32\wbem\wbemtest.exe
Let blacklite restart the PC

There will be more to do, let us know when your ready for the next steps

[UNiVERSE]

Ok, I renamed all files, but... when I restarted and ran lavasoft ad-watch, it found a registry change, precisely in HKEY_LOCAL_MACHINE, Run key, new data was "C:\WINDOWS\system32\dmbbb.exe, I blocked it. The file dmbbb.exe is not present in the C:\WINDOWS\system32 folder, the only file I found with similar criteria is the renamed (dmbbb.exe.ren) from blacklight. What do I do now? Thanks for your help!

[LonnyRJones]

Hi

Turn off both tea timer and adwatch for now please, from inside each programs options page, not just using the tray icon controls (clock area)

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68

there will be one maybe two items that look like:
O4 - HKLM\..\Run: [dmcup.exe] C:\WINDOWS\System\dmcup.exe
O4 - HKLM\..\Run: [pcbac.exe] pcbac.exe
dmcup and pcbac.exe are random named file's and are usualy not visible, they need to be fixed, BUT if you have any doubt dont fix anything.
Click Fix Checked. Close HijackThis, and click OK to proceed.
Finally, please post the contents of report.txt (it should open), along with a new HijackThis log.