Problem with a worm

gnorro · Dec 13, 2007

Hi
I have some problems with my notebook. it's very very slow since I downloaded and run a crack for a software.
Often when I close a window, everything disapper and reapper after about one minute
My antivirus is not loaded at system startupe, I have to reinstall it every time I boot my machine.
I noticed that I have a strange process in task manager that belongs to a file in c:\windows\temp. If I kill the process the file disappears, but the problems remains. If i delete the file the next time I boot it appears again with a different name.
I don't know if I have some worms. can you help me please?

thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.26.07, on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\FireTrust\MailWasher Pro\MailWasher.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\TeaTimer.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\lucamarantelli\Desktop\Windows Live Installer.exe
C:\Programmi\Windows Live\installer\Dashboard.exe
C:\Programmi\Windows Live\installer\WLSetupSvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [bc360619] rundll32.exe "C:\WINDOWS\system32\jcgxtsyg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: Domain = mi.draeger.mt.it; corp.draeger.global
O17 - HKLM\System\CCS\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: NameServer = 10.109.0.149,160.70.15.89
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS1\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: Domain = mi.draeger.mt.it; corp.draeger.global
O17 - HKLM\System\CS1\Services\Tcpip\..\{2375B5C0-6D2B-4EDC-861F-BB82F2D4C4F1}: NameServer = 10.109.0.149,160.70.15.89
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe

--
End of file - 9716 bytes

ken545 · Dec 13, 2007

Hello gnorro
Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

It looks like you posted here
http://forums.whatthetech.com/notebook_very_slow_maybe_a_worm_t85855.html

Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources, so please don't.

We do not support the use of illegal Pirated/Warez/Cracked software.

Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.

If you want to remove the cracked software, then run Kaspersky free online scanner and post the log along with a new HJT log please

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from Kaspersky Online Virus Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Post the log along with a New HJT Log into your next reply.

gnorro · Dec 14, 2007

sorry ken ant thanks for your reply

this is kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 14, 2007 2:12:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/12/2007
Kaspersky Anti-Virus database records: 451597
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 79064
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 03:22:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\lucamarantelli\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\tmpLog.txt Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\Training\Training archive - junk.rot135 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\Training\Training archive - legitimate.rot135 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\MailWasherPro\Trash.rot135 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\cert8.db Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\flashgot.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\formhistory.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\history.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\key3.db Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\parent.lock Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\search.sqlite Object is locked skipped
C:\Documents and Settings\lucamarantelli\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Cronologia\History.IE5\MSHist012007121420071215\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\dfsr.db Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\fsr.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\fsrtmp.log Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\rhcpitalia@msn.com\SharingMetadata\Working\database_20BC_3636_BC36_6B6\tmp.edb Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\outlook.ost Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\rhcpitalia@msn.com\real\members.stg Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\rhcpitalia@msn.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\hkktat00.Gnorro\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\ExchangePerflog_8484fa3197ed59cfcfcccd43.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\~DF65FB.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\~DF662A.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temp\~DFAF7A.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temporary Internet Files\Content.IE5\ELKZA965\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lucamarantelli\Impostazioni locali\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\lucamarantelli\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lucamarantelli\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.logaccount_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.loginitial_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.logLuuidDB Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\default-000000.logptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.logaccount_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.loginitial_ptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.logLuuidDB Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\log\SR_Service-000252.logptr Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\sr_gui_tde.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\sr_service_tde.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\sr_watchdog_tde.log Object is locked skipped
C:\Programmi\CheckPoint\SecuRemote\tmp\CKP_shmem_vpnstat_vpnd_shmem Object is locked skipped
C:\Programmi\Stonesoft\StoneGate VPN Client\process.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{95624057-4A02-49E5-B0B3-F358310412F5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ckpNotify.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\W3SVC1\ex071214.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_9bc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

gnorro · Dec 14, 2007

and this is hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.15.02, on 14/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\TeaTimer.exe
C:\Programmi\FireTrust\MailWasher Pro\MailWasher.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmi\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [bc360619] rundll32.exe "C:\WINDOWS\system32\jcgxtsyg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe

--
End of file - 9382 bytes

thanks

ken545 · Dec 14, 2007

gnorro,

You may have a deeper issue then what we are going to fix, lets see what we can accomplish and go from there.

You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O4 - HKLM\..\Run: [bc360619] rundll32.exe "C:\WINDOWS\system32\jcgxtsyg.dll",b

Please download SuperAntiSpyware
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

The thieves that have written Vundo have written it to go undected by Hijackthis so we need to rename it to something else so those entries will show up on your log.

This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe

Let me see the SAS log, the Combofix log and a new HJT log renamed please

gnorro · Dec 14, 2007

SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/14/2007 at 06:58 PM

Application Version : 3.9.1008

Core Rules Database Version : 3361
Trace Rules Database Version: 1360

Scan type : Complete Scan
Total Scan Time : 02:07:31

Memory items scanned : 460
Memory threats detected : 3
Registry items scanned : 7338
Registry threats detected : 18
File items scanned : 36060
File threats detected : 16

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\EFCBAXX.DLL
C:\WINDOWS\SYSTEM32\EFCBAXX.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\efcbaxx

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\AWTSP.DLL
C:\WINDOWS\SYSTEM32\AWTSP.DLL
HKLM\Software\Classes\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}
HKCR\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}
HKCR\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}\InprocServer32
HKCR\CLSID\{2B9589C7-8410-4C5C-9194-A4559030DAE1}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B9589C7-8410-4C5C-9194-A4559030DAE1}

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\ANHNDPIK.DLL
C:\WINDOWS\SYSTEM32\ANHNDPIK.DLL

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{7c3f76ed-88a0-4c99-9663-a4140c39f7fd}
HKCR\CLSID\{7C3F76ED-88A0-4C99-9663-A4140C39F7FD}
HKCR\CLSID\{7C3F76ED-88A0-4C99-9663-A4140C39F7FD}\InprocServer32
HKCR\CLSID\{7C3F76ED-88A0-4C99-9663-A4140C39F7FD}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c3f76ed-88a0-4c99-9663-a4140c39f7fd}
C:\WINDOWS\SYSTEM32\JCGXTSYG.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}\InprocServer32
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}

Adware.Tracking Cookie
C:\Documents and Settings\administrator\Cookies\administrator@ad.watersoul[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@realmedia[2].txt
C:\Documents and Settings\administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@statse.webtrendslive[1].txt
C:\Documents and Settings\administrator\Cookies\administrator@yadro[1].txt
C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator.MARANTELLI-XPNE\Cookies\administrator@msnportal.112.2o7[1].txt

gnorro · Dec 14, 2007

Combofix doesn't create a log, because it seems to be blcocked when it tryes to remove files and dirs at the end. after about 1 hour I stopped it

this is HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\IBEA69.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4470843F-FC5D-4AB4-AB07-1C5739A68D78} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57F521B7-248A-4981-973C-8C7819EB0CCD} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe

--
End of file - 9963 bytes

ken545 · Dec 14, 2007

First do this.

Download haxfix.exe
and save it to your desktop.

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

gnorro · Dec 14, 2007

HAXFIX logfile - by Marckie

version 4.61
2007-12-15 22:27:36.48

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
CmBatt
tmcomm

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found

--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 22:27:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x20229~\2]
"0140110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL"

scanning hidden files ...

C:\serv.txt 16 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

--- Analysing Catchme logfile ---

no matching regkeys found

Finished!

ken545 · Dec 14, 2007

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to Delete:
C:\WINDOWS\system32\awtsp.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Remove this with HJT.
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe

Delete Combofix and download and install a fresh copy.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If it still hangs then try running it in Safemode.
To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

Post the Avenger log, the combofix log and a new HJT log

gnorro · Dec 15, 2007

Avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xpkcqsxg

*******************

Script file located at: \??\C:\ekbhifuv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\awtsp.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Combofix now delete files and dire and then reboot my pc but no log is shown. is it created in some dir?

this is HJ log. every time I reboot the dll in system32 appears again. I have always a file that changes its name in task manager. it's located in windows\temp

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29, on 2007-12-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\HP9E5.EXE
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\ctfmon.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {52136192-47CF-433C-B270-2ADF2E0730D1} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe

--
End of file - 9737 bytes

ken545 · Dec 15, 2007

Open up Task Manager by pressing Ctrl. Alt. Del and under the Process Tab look for
C:\WINDOWS\system32\awtsp.exe , select it and click on End Process

Please download OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\awtsp.exe

Click to expand...
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run Combofix again please , I need to see the report along with the OtMoveIt log and a New HJT log

gnorro · Dec 15, 2007

that file appears (awtsp.exe and also the othe file inside temp dir) again every time I boot. i also unchecked it in msconfig. Combofix generate no log. it always reboot my pc but then nothing happens

gnorro · Dec 15, 2007

C:\WINDOWS\system32\awtsp.exe moved successfully.

Created on 12-16-2007 13:16:40

Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:17, on 2007-12-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\ICFC8F.EXE
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {76B3746B-E39E-4153-AAB9-786D701BC88A} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe

--
End of file - 10042 bytes

ken545 · Dec 16, 2007

Sorry for the late reply but I was called away and was not online most of the day.

Download Pocket Killbox to your desktop.

Highlight the file with the complete path inside the Quote Box and press Ctrl C on your keyboard.

C:\WINDOWS\system32\awtsp.exe

Open Pocket Killbox
Go to File > Paste from clipboard
Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
Make sure Single File is selected
Click on the Red circle with the white X
It will ask you to confirm the deletion...Say yes
It will ask you to reboot, say yes

If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.

Post a new HJT log and lets see if this got it

gnorro · Dec 16, 2007

no problem ken...you are giving me a great help

this is hj log. the file was not deleted

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\EL396A.EXE
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe
C:\Programmi\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: (no name) - {061DA521-C797-4E3A-9EF4-66214C50DF35} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe

--
End of file - 9988 bytes

ken545 · Dec 16, 2007

Good Morning,

Its still there :red:

that file appears (awtsp.exe and also the othe file inside temp dir)

Are you saying there is another awtsp.exe in a temp folder??

gnorro · Dec 16, 2007

in that dir there is a file that renames every time I start the pc. not its name is: rkc0c9.exe
if I kill the process the fiule disappears, but it compair again at the next reboot. I used also VundoFix of symantec but it finds nothing. I used also Prevx CSI that find I am infected but then it asks me a license to clean my system

ken545 · Dec 16, 2007

This file appears to be related to Vundo somehow.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Download VundoFix to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

C:\ComboFix.txt <--You can find it on your C:\drive

Post both the Vundofix and Combofix logs please

gnorro · Dec 16, 2007

It says they are been removed but it's not true...

VundoFix V6.7.0

Checking Java version...

Sun Java not detected
Scan started at 14.42.08 13/12/2007

Listing files found while scanning....

C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Hijack log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Programmi\Stonesoft\StoneGate VPN Client\stonegate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\RN5875.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Programmi\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\sgagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\SkyTel.EXE
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\hkcmd.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\igfxpers.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\ctfmon.exe
C:\DOCUME~1\LUCAMA~1\IMPOST~1\Temp\RTHDCPL.EXE
C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsp.exe
O1 - Hosts: ping # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C889469C-66DC-4851-9BB7-38FBCD0E080F} - C:\WINDOWS\system32\awtsp.dll
O4 - HKLM\..\Run: [StoneGateAgent] "C:\Programmi\Stonesoft\StoneGate VPN Client\sgagent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B0375B5-1A57-4684-BDF5-4D2E68A7EF4A} (Pivotal ePower Lifecycle Engine (Version 5.9) - Platform Access (rdaclnt.dll)) - http://crmapp/ePower/cab/RDACLNT.CAB
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.9) - Shortcut Handler (rshortcut.dll)) - http://crmapp/ePower/cab/RSHORTCUT.CAB
O16 - DPF: {2AEC967B-BE2B-4D88-BB4E-C25F26B96CB0} (Pivotal eRelationship Active Access (Version 5.9) - Smart Portal (rdaprtl.dll)) - http://crmapp/ePower/cab/RDAPRTL.CAB
O16 - DPF: {3D7C60CF-3CA3-4EEF-8FDE-F3903709834B} (Pivotal eRelationship Active Access (Version 5.9) - Stealth Report Interface (rdaRprt.dll)) - http://crmapp/ePower/cab/RDARPRT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191433976426
O16 - DPF: {876DEC9E-28E9-4FE0-8ACD-CE107F9ACD1E} (Pivotal eRelationship Active Access (Version 5.9) - Resources (rdares.dll)) - http://crmapp/ePower/cab/RDARES.CAB
O16 - DPF: {8B777F7B-E3F0-496F-AEAC-EF9169C0A341} (Pivotal eRelationship Active Access (Version 5.9) - Email Connector (rdaemail.dll)) - http://crmapp/ePower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.9) - EMail Class (rn1sendx.dll)) - http://crmapp/ePower/cab/RN1SENDX.CAB
O16 - DPF: {A7977C3E-1450-4990-977D-9C5522B1E6DD} (Pivotal ePower Lifecycle Engine (Version 5.9) - Instantiator (rdaobjcreate.dll)) - http://crmapp/ePower/cab/RdaObjCreate.cab
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.9) - Plug-in Result Return Collection (dfoutils.dll)) - http://crmapp/ePower/cab/DFOUTILS.CAB
O16 - DPF: {BB89F812-072A-45E9-BEB2-2781D468F4E0} (Pivotal eRelationship Active Access (Version 5.9) - Shared Object Library Interface (rdashare.dll)) - http://crmapp/ePower/cab/RDASHARE.CAB
O16 - DPF: {D2A79F4E-98D9-4B65-9858-A7A1A3DCF872} (Pivotal eRelationship Active Access (Version 5.9) - Portal Control Proxy (rdaui.dll)) - http://crmapp/ePower/cab/RdaUI.cab
O16 - DPF: {FE89A9AA-862D-4D48-81BB-2A1A5590955C} (Pivotal eRelationship Active Access (Version 5.9) - Static list Support (rdauistaticlists.dll)) - http://crmapp/ePower/cab/RDAUISTATICLISTS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\Software\..\Telephony: DomainName = nposistemi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02D6AED-4A1D-4D51-BA44-98668EC37511}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nposistemi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nposistemi.it
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Programmi\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat5.5\bin\tomcat5.exe

--
End of file - 10068 bytes

Problem with a worm

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member