Jump to content


Photo

Hi, could you help me with this log?


  • This topic is locked This topic is locked
17 replies to this topic

#1 JustLeaf

JustLeaf

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 April 2006 - 01:34 PM

Hi there! My pc is all messed up, I really don't know what to do... could you help me? Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 21.40.26, on 15/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Iomega HotBurn\Autolaunch.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\internat.exe
C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\Leaf\IMPOST~1\Temp\Rar$EX00.363\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.it/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WhenUSave] "C:\Programmi\Save\Save.exe"
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_it.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....erSetup_ita.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3A15E86-6951-4538-B16B-2F4BFCD026B6}: NameServer = 213.205.36.70 213.205.32.70
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe


Please help! Thaaaanx...

#2 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 19 April 2006 - 10:54 AM

Hi JustLeaf,

Sorry about the delay in getting to you.

You are currently running HijackThis from a temporary folder. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted. Go to "My Computer", click on c:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or something like that and then please move the HijackThis.exe executable there.

Once you've done that post a new HijackThis log so that I can make sure that nothing has changed in your log.

Thank you for your patience. :)
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#3 JustLeaf

JustLeaf

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 19 April 2006 - 11:13 AM

Thank you so much for your reply, here's the new log, with Hijackthis saved in its own folder:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Iomega HotBurn\Autolaunch.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\internat.exe
C:\Programmi\Save\Save.exe
C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.it/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WhenUSave] "C:\Programmi\Save\Save.exe"
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_it.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....erSetup_ita.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3A15E86-6951-4538-B16B-2F4BFCD026B6}: NameServer = 213.205.36.70 213.205.32.70
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe



Take your time, no need to hurry... you're really kind! Thank you again for checking.

#4 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 19 April 2006 - 01:28 PM

I see WhenU Save! This is often installed as a sponser to "free" software. It's adware and displays pop-ups.

To remove it, click Start > Settings > Control Panel > Add/Remove Programs...

Locate Save, SaveNow or anything related to WhenU and uninstall it.

Let's check for any other malware that might be present:

Please download, install, and update Ewido anti-malware
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. Do not run a scan yet.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido.
Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
  • In Safe Mode, load ewido and click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • If ewido finds anything, it will pop up a notification. Check "Perform action with all infections" and "Save an encypted backup".
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
  • Restart back into Normal Mode.
Please perform another scan with Hijack This, and then post back with a copy of the ewido log and the new HijackThis log.

Thanks :)
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#5 JustLeaf

JustLeaf

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 19 April 2006 - 02:54 PM

I'll do everything, but I can't remove when u and save because they are needed to run bearshare for free...

#6 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 19 April 2006 - 03:22 PM

I'd strongly suggest that you uninstall BearShare and, if you have to use a file sharing program (many of the downloads on them are infected so I personally wouldn't recommend using any), replace it with one of the spyware free one's from this list:

http://www.spywarein...m/articles/p2p/

Ewido will remove Save, so I'd uninstall it before running that.
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#7 JustLeaf

JustLeaf

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 April 2006 - 03:01 AM

TA-DAA! ^_^

Logfile of HijackThis v1.99.1
Scan saved at 11.07.47, on 20/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Iomega HotBurn\Autolaunch.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\internat.exe
C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.it/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_it.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....erSetup_ita.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe










---------------------------------------------------------
ewido anti-malware - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 11.02.27, 20/04/2006
+ Report-Checksum: F292F5B

+ Risultati scansione:

HKLM\SOFTWARE\Classes\FWN.FWNToolbar -> Adware.FindWhateverNow : Pulito con Backup
HKLM\SOFTWARE\Classes\FWN.FWNToolbar\Clsid -> Adware.FindWhateverNow : Pulito con Backup
HKLM\SOFTWARE\Classes\FWN.ISubclass -> Adware.FindWhateverNow : Pulito con Backup
HKLM\SOFTWARE\Classes\FWN.ISubclass\Clsid -> Adware.FindWhateverNow : Pulito con Backup
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv -> Adware.WebRebates : Pulito con Backup
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv\Clsid -> Adware.WebRebates : Pulito con Backup
HKLM\SOFTWARE\Classes\WhenU.EmbedSE -> Adware.SaveNow : Pulito con Backup
HKLM\SOFTWARE\Classes\WhenU.EmbedSE\CLSID -> Adware.SaveNow : Pulito con Backup
HKLM\SOFTWARE\Classes\WhenU.EmbedSE\CurVer -> Adware.SaveNow : Pulito con Backup
HKLM\SOFTWARE\Classes\WhenU.EmbedSE.1 -> Adware.SaveNow : Pulito con Backup
HKLM\SOFTWARE\Classes\WUSE.1 -> Adware.SaveNow : Pulito con Backup
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Pulito con Backup
HKLM\SOFTWARE\eXactUtil -> Adware.BargainBuddy : Pulito con Backup
HKLM\SOFTWARE\IncrediFind -> Adware.KeenValue : Pulito con Backup
HKLM\SOFTWARE\IncrediFind\BHO -> Adware.KeenValue : Pulito con Backup
HKLM\SOFTWARE\IncrediFind\BHO\HomePage -> Adware.KeenValue : Pulito con Backup
HKLM\SOFTWARE\IncrediFind\BHO\RedirectURLS -> Adware.KeenValue : Pulito con Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0 -> Adware.BlazeFind : Pulito con Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0\- -> Adware.BlazeFind : Pulito con Backup
HKLM\SOFTWARE\sr -> Adware.CoolWebSearch : Pulito con Backup
HKLM\SOFTWARE\sr\sr -> Adware.CoolWebSearch : Pulito con Backup
HKLM\SOFTWARE\updater -> Adware.KeenValue : Pulito con Backup
HKLM\SOFTWARE\updater\{8D15A72D-62E0-4733-B057-0A81B4FFEB3D} -> Adware.KeenValue : Pulito con Backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng -> Adware.BargainBuddy : Pulito con Backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Security -> Adware.BargainBuddy : Pulito con Backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Enum -> Adware.BargainBuddy : Pulito con Backup
HKU\S-1-5-21-842925246-1682526488-854245398-1000\Software\Coulomb -> Dialer.Generic : Pulito con Backup
C:\WINDOWS\SYSTEM32\TFTP912 -> Backdoor.Rbot : Pulito con Backup
C:\WINDOWS\SYSTEM32\exdl.exe -> Adware.BargainBuddy : Pulito con Backup
C:\WINDOWS\SYSTEM32\exdl0.exe -> Adware.BargainBuddy : Pulito con Backup
C:\WINDOWS\SYSTEM32\mqexdlm.srg -> Adware.BargainBuddy : Pulito con Backup
C:\WINDOWS\SYSTEM32\exul.exe -> Adware.BargainBuddy : Pulito con Backup
C:\WINDOWS\SYSTEM32\javexulm.vxd -> Adware.BargainBuddy : Pulito con Backup
C:\WINDOWS\SYSTEM32\angelex.exe -> Adware.BargainBuddy : Pulito con Backup
C:\WINDOWS\SYSTEM32\AcsProxy.dll -> Adware.FWN : Pulito con Backup
C:\WINDOWS\SYSTEM32\netut80ex.vxd/C:/WINDOWS/System32/exdl.exe -> Adware.BargainBuddy : Errore durante la pulizia
C:\WINDOWS\SYSTEM32\netut80ex.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Adware.BargainBuddy : Errore durante la pulizia
C:\WINDOWS\SYSTEM32\netut80ex.vxd/C:/WINDOWS/System32/exul.exe -> Adware.BargainBuddy : Errore durante la pulizia
C:\WINDOWS\SYSTEM32\netut80ex.vxd/C:/WINDOWS/System32/javexulm.vxd -> Adware.BargainBuddy : Errore durante la pulizia
C:\WINDOWS\SYSTEM32\WinDmy.dll -> Adware.Mirar : Pulito con Backup
C:\WINDOWS\Downloaded Program Files\MirarSetup.exe -> Adware.SaveNow : Pulito con Backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MirarSetup.exe -> Adware.SaveNow : Pulito con Backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MirarSetup.exe -> Adware.SaveNow : Pulito con Backup
C:\Programmi\File comuni\WhenU\EmbedSE.dll -> Adware.SaveNow : Pulito con Backup
C:\Documents and Settings\Leaf\Impostazioni locali\Temp\Cookies\leaf@counter11.sextracker[1].txt -> TrackingCookie.Sextracker : Pulito con Backup
C:\Documents and Settings\Leaf\Impostazioni locali\Temp\Cookies\leaf@sextracker[1].txt -> TrackingCookie.Sextracker : Pulito con Backup
C:\Documents and Settings\Leaf\Impostazioni locali\Temp\Cookies\leaf@hitbox[2].txt -> TrackingCookie.Hitbox : Pulito con Backup
C:\Documents and Settings\Leaf\Impostazioni locali\Temp\Cookies\leaf@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@doubleclick[1].txt -> TrackingCookie.Doubleclick : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@bluestreak[2].txt -> TrackingCookie.Bluestreak : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@casalemedia[1].txt -> TrackingCookie.Casalemedia : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@mediaplex[1].txt -> TrackingCookie.Mediaplex : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@statcounter[1].txt -> TrackingCookie.Statcounter : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@zedo[2].txt -> TrackingCookie.Zedo : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@media.fastclick[1].txt -> TrackingCookie.Fastclick : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@atdmt[1].txt -> TrackingCookie.Atdmt : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@fastclick[2].txt -> TrackingCookie.Fastclick : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@adtech[2].txt -> TrackingCookie.Adtech : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@hitbox[2].txt -> TrackingCookie.Hitbox : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Pulito con Backup
C:\Documents and Settings\Leaf\Cookies\leaf@ehg-wizardsofthecoast.hitbox[2].txt -> TrackingCookie.Hitbox : Pulito con Backup


::Fine Rapporto


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.it/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_it.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....erSetup_ita.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe

Edited by JustLeaf, 20 April 2006 - 03:13 AM.


#8 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 20 April 2006 - 03:57 AM

Hi JustLeaf,

I have bad news :(

Ewido detected Backdoor.Rbot. Backdoors are dangerous trojans which infect a computer and then allow an attacker remote access to it. This particular trojan can do the following:

* monitor networks for interesting data packets (i.e. those containing passwords to FTP servers, and e-payment systems such as PayPal etc.)
* scan networks for machines which have unpatched common vulnerabilties (RPC DCOM, UPnP, WebDAV and others); for machines infected by Trojan programs (Backdoor.Optix, Backdoor.NetDevil, Backdoor.SubSeven and others) and by the Trojan components of worms (I-Worm.Mydoom, I-Worm.Bagle); for machines with weak system passwords
* conduct DoS attacks
* launch SOCKS and HTTP servers on infected machines
* send the user of the program detailed information about the victim machine, including passwords to a range of computer games.

It's probabky a leftover from an infection that your antivirus cleaned, but to be on the safe side I'd strongly counsel you to do the following:

[*]Notify all your banks and credit card companies that you could have been a victim of computer credit card fraud, and ask them to put a check on your accounts or change your account numbers.
[*]From a clean computer, change all your online passwords including banks, shopping, email and forums.

Let's run a tool, just to make sure it's completely gone:

Download f-bot by F-Secure and save it to your Desktop.

Double-click on the tool to run it. Reboot when the tool has finished.

Click Start > Settings > Control Panel and then locate Bargain Buddy or anything related to eXact and uninstall it.

I'd like you to perform an online virus scan with Kaspersky Online Virus Scanner.

Please navigate (using Internet Explorer only, other browsers won't work) to the following site: http://www.kaspersky.com/virusscanner

Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • The scanner will download the latest definition files. When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply with a new HijackThis log.

Thanks :)
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#9 JustLeaf

JustLeaf

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 April 2006 - 07:25 AM

I am sorry, but I can't seem to find "buddy" anywhere... and I'm running the Kaspersky scan, but it takes too much time that I can't spend online. Is it absolutely necessary?

Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 15.32.31, on 20/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Iomega HotBurn\Autolaunch.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\internat.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.it/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_it.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....erSetup_ita.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3A15E86-6951-4538-B16B-2F4BFCD026B6}: NameServer = 213.205.36.70 213.205.32.70
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe



PS: It doesn't matter for the bad bad trojan, I never used any important password on this computer.

#10 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 20 April 2006 - 07:37 AM

I just wanted to use Kaspersky to check we got everything - what Ewido misses another might catch. You can download BitDefender Free Edition and run a full scan with that offline:

Please download and install BitDefender Free Edition
http://www.bitdefend...ee-Edition.html

This is a free version of the anti-virus. It has no real-time scanner but should do a good job of cleaning up your computer. Install it and update it, then run a full system scan with it.

Edited by SUB, 20 April 2006 - 07:39 AM.

The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#11 JustLeaf

JustLeaf

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 April 2006 - 11:16 AM

Here's the report:

//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 20/04/2006 18:18:02
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 1183
Files : 192208
Archives : 847
Packed files : 33339
Identified viruses : 6
Infected files : 9
Warnings : 0
Suspect files : 1
Disinfected files : 0
Deleted files : 1
Copied files : 0
Moved files : 4
Renamed files : 0
I/O errors : 17
Scan time : 01:00:46
Scan speed (files/sec) : 52

Virus definitions : 187164
Scan plugins : 13
Archive plugins : 39
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\WINDOWS\SYSTEM32\o Suspect Backdoor.BotGet.FtpB.Gen
C:\WINDOWS\SYSTEM32\o Disinfection failed
C:\WINDOWS\SYSTEM32\o Moved
C:\WINDOWS\SYSTEM32\aa Infected Backdoor.BotGet.FtpB.Gen
C:\WINDOWS\SYSTEM32\aa Deleted
C:\WINDOWS\SYSTEM32\netut80ex.vxd=>C:/WINDOWS/System32/exdl.exe Detected: Application.Adware.ExactSearch
C:\WINDOWS\SYSTEM32\netut80ex.vxd=>C:/WINDOWS/System32/exdl.exe Disinfection failed
C:\WINDOWS\SYSTEM32\netut80ex.vxd=>C:/WINDOWS/System32/mqexdlm.srg Detected: Application.Adware.ExactSearch
C:\WINDOWS\SYSTEM32\netut80ex.vxd=>C:/WINDOWS/System32/exul.exe Detected: Adware.BBuddy.A
C:\WINDOWS\SYSTEM32\netut80ex.vxd=>C:/WINDOWS/System32/exul.exe Disinfection failed
C:\WINDOWS\SYSTEM32\netut80ex.vxd=>C:/WINDOWS/System32/javexulm.vxd Detected: Adware.BBuddy.A
C:\WINDOWS\SYSTEM32\netut80ex.vxd Moved
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-271e6c1-2fb5d713.zip=>A.class Infected Trojan.Exploit.Java.Bytverify.C
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-271e6c1-2fb5d713.zip=>A.class Disinfection failed
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-271e6c1-2fb5d713.zip=>BlackBox.class Infected Trojan.Exploit.Java.Bytverify.B
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-271e6c1-2fb5d713.zip=>BlackBox.class Disinfection failed
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-271e6c1-2fb5d713.zip Moved
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-792a1f63-7f66c2ef.zip=>GetAccess.class Infected Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-792a1f63-7f66c2ef.zip=>GetAccess.class Disinfection failed
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-792a1f63-7f66c2ef.zip=>NewURLClassLoader.class Infected Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-792a1f63-7f66c2ef.zip=>NewURLClassLoader.class Disinfection failed
C:\Documents and Settings\Leaf\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-792a1f63-7f66c2ef.zip Moved



And the new log:

Logfile of HijackThis v1.99.1
Scan saved at 19.25.34, on 20/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Iomega HotBurn\Autolaunch.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\System32\internat.exe
C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.it/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_it.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....erSetup_ita.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3A15E86-6951-4538-B16B-2F4BFCD026B6}: NameServer = 213.205.36.70 213.205.32.70
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#12 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 20 April 2006 - 06:09 PM

Please download SilentRunners from this location.

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#13 JustLeaf

JustLeaf

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 April 2006 - 12:48 AM

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"MsnMsgr" = ""C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Drag'n'Drop_Autolaunch" = ""C:\Programmi\Iomega HotBurn\Autolaunch.exe"" ["Iomega Corporation"]
"QuickTime Task" = ""C:\Programmi\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"GSICONEXE" = "gsicon.exe" ["GlobespanVirata, Inc."]
"DSLAGENTEXE" = "dslagent.exe USB" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = "C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"BDMCon" = ""C:\Programmi\Softwin\BitDefender8\bdmcon.exe"" ["SOFTWIN S.R.L."]
"BDNewsAgent" = ""C:\Programmi\Softwin\BitDefender8\bdnagent.exe"" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Estensione panoramica video del Pannello di controllo"
-> {HKLM...CLSID} = "Estensione panoramica video del Pannello di controllo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Utilità di separazione di Raccoglitore Office."
-> {HKLM...CLSID} = "Utilità di separazione di Raccoglitore Office."
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office\UNBIND.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

HKLM\Software\Classes\.scr\ = (key not found)


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Sfondo Internet Explorer.bmp"


Startup items in "Leaf" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
"CAMEDIA Master" -> shortcut to: "C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe" ["OLYMPUS CORPORATION"]
"Adobe Gamma Loader" -> shortcut to: "C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"Avvio dell'Ottimizzazione" -> launches: "walign" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7}"
-> {HKLM...CLSID} = "FWN Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\FWNToolbar.dll" [file not found]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"
-> {HKLM...CLSID} = "Related Page"
\InProcServer32\(Default) = "C:\WINDOWS\System32\WinNB57.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
BitDefender Communicator, XCOMM, ""C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Scan Server, bdss, ""C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
Iomega App Services, Iomega App Services, ""C:\PROGRA~1\Iomega\System32\AppServices.exe"" ["Iomega Corporation"]
Sistema di eventi COM+, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [null data]}


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 48 seconds, including 7 seconds for message boxes)

#14 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 22 April 2006 - 03:17 PM

Hi JustLeaf,

Sorry about the delay. I had to check something with an expert, and I was at work all day so have only just had time to come online.

Please clear your Sun Java cache:

1. Click Start > Settings > Control Panel.

2. Double-click the Java icon in the control panel.
The Java Control Panel appears.

3. Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.

4. Click Delete Files.
The Delete Temporary Files dialog box appears.

There are three options on this window to clear the cache.
1. Delete Files
2. View Applications
3. View Applets

5. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.

6. Click OK on Temporary Files Settings window.
Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

Locate the following file and delete it:

C:\WINDOWS\SYSTEM32\netut80ex.vxd

Copy and paste the text in the following quote box into Notepad:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7}"=-
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7}]

[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]

[-HKEY_CLASSES_ROOT\CLSID\{3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7}]

[-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]


Save it as fix.reg to your Desktop (in Save As Type ensure "All Files" is selected). Double-click it and allow it to merge with the registry.

Reboot your computer and post a new HijackThis log. How are things running now?
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#15 JustLeaf1

JustLeaf1

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 23 April 2006 - 03:42 AM

You don't have to apologize for the delay, you're doing me a favor, please take your time! :) Anyway, it seems like evertything is fine, but I still can't be sure. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 1.32.03, on 23/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Iomega HotBurn\Autolaunch.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\System32\internat.exe
C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\WINDOWS\System32\msiexec.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.it/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmi\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_it.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....erSetup_ita.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe



PS Can I delete the fix.reg file now or I have to keep it?

#16 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 23 April 2006 - 05:22 AM

Your log looks clean, so if you aren't having any more problems then I'd say we're done.

This is very important - we need to prevent this happening again, so I have included some recommendations. Please take these seriously as they will help prevent the majority of malware attacks.

- Keep Windows up-to-date.

Your current version of Windows is out-of-date as we are currently on Windows 2000 SP4. Many malware attacks occur through security holes in Windows, and Microsoft regularly releases patches for these holes.

Please click here to visit the Windows Update site, and install any high priority updates available. It's important to keep checking this regularly. I'd recommend turning on automatic updates, so updates will automatically be found and installed for your system.

To turn them on:

1. In Control Panel, double-click Automatic Updates.
2. Click one of the following options:
• Notify me before downloading any updates and notify me again before installing them on my computer
• Download the updates automatically and notify me when they are ready to be installed
• Automatically download the updates, and install them on the schedule that I specify

I really cannot stress enough how important it is to keep Windows up-to-date.

- Use a firewall.

I don't see a firewall in your log. A firewall is your first and last defense against malware and I would say is the most important piece of security software you need. I would strongly urge you to install one of the following excellent free firewalls:
ZoneAlarm
Kerio
Outpost.

Only install one firewall on your computer, as multiple firewalls will clash. A tutorial on understanding and using firewalls may be found here.

- Use antispyware software.

Scanners:

You need to have two antispyware scanners for on-demand scans, as what one catches another might miss. It's preferable to keep one running with real-time protection. If you don't have these, install these free scanners:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here.

In Spybot-S&D you should enable the "Immunize" function which adds sites to your IE restricted zone. You might also want to enable the "TeaTimer" function, which will block a lot of ways in which spyware can install on your computer.

Remember to keep these scanners up to date and perform frequent scans with them.

Tools:

In addition to your antispyware scanners, here are some free tools that will help prevent spyware from installing on your computer.

SpywareBlaster
Spyware Blaster will add known dangerous sites to your Internet Explorer restricted zone, restrict tracking cookies in Internet Explorer and Firefox and prevent dangerous ActiveX controls from installing in Internet Explorer. A tutorial on using SpywareBlaster may be found here.

IE-SPYAD
A must if you use Internet Explorer. Adds over 5,000 potentially dangerous sites to your Restricted Sites Zone.

As these programs simply add things to your browser settings, they do not slow your computer. They are frequently updated, so please make sure that you keep these programs up-to-date.

- Use an alternative browser.

This is important for several reasons:
- most people use Internet Explorer, therefore most malware tends to target Internet Explorer.
- It has a feature known as ActiveX, which can be used to install software (including malware).

I'd recommend Firefox but Opera is also very good. It's just a personal preference really. Both are much more secure than Internet Explorer and feature many extra options, including tabbed browsing. They're both free as well, so you've got nothing to lose by trying them both and choosing the one you like the most.

- Use antivirus software

Please make sure to run your antivirus software regularly, and to keep it up to date.

- Please read Tony Klein's excellent article: So how did I get infected in the first place?

Hopefully this should take care of your problems! Good luck. :D
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox

#17 JustLeaf1

JustLeaf1

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 23 April 2006 - 07:30 AM

Thank you so much, I'm saving your last post! Thank you again.

#18 SUB

SUB

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 321 posts

Posted 23 April 2006 - 08:12 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
The help you receive here is free. If you can, then please help support SpywareInfo's fight against malware by making a donation.

So how did I get infected in the first place?
Firefox




Member of UNITE
Support SpywareInfo Forum - click the button