# Solved: trojans, please help!!



## emmameyer (Apr 12, 2006)

Hello everybody,
as of this morning I am experiencing a "virus" problem: I inadvertently downloaded something that keeps regenerating itself and can't get rid of it/them. (antivirus says it's "TR/dldr.small.buy.1" and something like "Click.something..."
task manager won't work anymore, antivirus runs in the background but can't open it, and have great problems in using the internet too...
I have AntiVir working, but no ZoneAlarm anymore since the last version blocked all internet activities and had to remove it.
I downloaded HJT and did a scan: here is my log, but please, if you can, give me directions "for dummies", because that's what I am with the PC...

while writing this message I had all kinds of messages from the net, dowload this, you have the beagle virus, finish your scan with ErrorSafe... help!!!!

I know I must have all sorts of garbage on my PC, but I dare show them anyway - help me get rid of them!!
here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16.45.55, on 12/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\mnmsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\WINDOWS\services.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
C:\windows\mousepad10.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Palm\HOTSYNC.EXE
C:\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard10.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname10.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A935783-5B5D-4380-A6AF-2FD17735F40D}: NameServer = 85.37.17.5 85.38.28.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A935783-5B5D-4380-A6AF-2FD17735F40D}: NameServer = 85.37.17.5 85.38.28.77
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rapndd6d8- - Sonic Solutions - (no file)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:









Use this URL to copy into the address bar of the Download script window:
* http://metallica.geekstogo.com/alcanshorty.bfu*

Execute the script by clicking the Execute button.

_If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html _

Then reboot and post back with a* HijackThis log*.


----------



## emmameyer (Apr 12, 2006)

Hi... sorry but BFU isn't brute enough... ( (that was trying to be a sad smile...) 
i am trying to run it, but it stops at 11% and refuses to go any further...
any idea?
thank you so mach for your help,
a desperate italian


----------



## cybertech (Apr 16, 2002)

Download the trial version of Ewido Security Suite *here*.
Install ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

*Click here* for info on how to boot to safe mode if you don't already know how.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop

Reboot to normal mode.

*Come back here and post a new HijackThis log, as well as the log from Ewido.*


----------



## emmameyer (Apr 12, 2006)

hello cyber...
I tried and tried and finally BFU worked, and here is the HJT log:
while connecting to see your reply, the AntiVir blocked several new attacks though... some of them totally new... :-(((
I will now try your second "direction", here is the log anyway....
thank you thank you!

Logfile of HijackThis v1.99.1
Scan saved at 17.53.29, on 12/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Downlo~1\rfh33w7\fgzr1.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\mnmsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\WINDOWS\services.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Palm\HOTSYNC.EXE
C:\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rapndd6d8- - Sonic Solutions - (no file)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe


----------



## cybertech (Apr 16, 2002)

OK, go with the Ewido scan and be sure to post the results along with another HJT log.


----------



## emmameyer (Apr 12, 2006)

cybertech, ewido stopped during installation... god, I'm jinxed... LOL
I cannot go through the installation all over again, I must go now (here in Italy is 6 pm) I have a concert to perform!
thank you again for your help, I'll try again tonight when I'm back and let you know.
you're a cyber-angel!
bye


----------



## cybertech (Apr 16, 2002)

Ok!

Try removing these before you install again

*Run HJT again and put a check in the following:*

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe

*Close all applications and browser windows before you click "fix checked".*


----------



## emmameyer (Apr 12, 2006)

hello cyber, I hope you are still checking this...
ok, this is the story: I was able to install Ewido without removing the things you suggested in your last post (just because I completed the installation before checking for new posts, not because I didn´t want to follow your advise...!).
As you told me, I run it in safe mode and... gosh, I´m embarrassed, but I have to say that I did something wrong (poked into the quarantine) and wasn´t able to save the report (once you leave the window, the report is gone...). Anyway, I did a snapshot of the quarantine where all the malware were put, so maybe this is helping a little...
here it is









but then... the virus attack didn´t stop, and that´s why you didn´t hear from me anymore, because I couldn´t even connect to the internet... (problem solved, something had installed itself in the quicklaunch and had hijacked my start page... anyway, not a big deal but it took me a while to realize it because I am way too frustrated at the moment...).
to cut it short, I post now the new HJT log, but the small .exe files are still proliferating...
as of today I am away for the easter vacation, but if you will be so kind to take a look at the log and think about my problem, on monday I will resume the fight...
thank you for your patience and help, and happy easter!

HJT log after Ewido

Logfile of HijackThis v1.99.1
Scan saved at 7.38.55, on 14/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programmi\Editpad\EditPad.exe
C:\WINDOWS\explorer.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [newname] C:\windows\newname11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: www.1987324.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)


----------



## cybertech (Apr 16, 2002)

Hi, emmameyer,
I received your PM as well. Give me a little bit as I just walked in the door and have a few things to take care of.

I'll post something for you ASAP.


----------



## cybertech (Apr 16, 2002)

Click My Computer, then C:\ 
In the menu bar, File->New->Folder. 
That will create a folder named New Folder, which you can rename to "BFU"

Please download *Brute Force Uninstaller*. 
Unzip it to its own folder (c:\BFU)

Next, *RIGHT-CLICK HERE* and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. *Save it in the folder you made earlier (c:\BFU)*.

*Do not run the Uninstaller and the Remover yet*.

Please reboot into Safemode:

Open My Computer and navigate to the *c:\BFU* folder. Start the Brute Force Uninstaller by doubleclicking *BFU.exe*

In the *scriptline to execute* field copy and paste *c:\bfu\alcanshorty.bfu* 
Press *execute* and let it do its job.

Wait for the *complete script execution* box to pop up and press OK. 
Press *exit* to terminate the BFU program.

Reboot into normal windows and post a new HiJackThis log.


----------



## emmameyer (Apr 12, 2006)

thank you again for your consideration, as soon as I´m back home (that is on monday) I will proceed with your instructions.
have a nice weekend and a happy easter!


----------



## cybertech (Apr 16, 2002)

OK, sounds good.


----------



## emmameyer (Apr 12, 2006)

dear cybertech,here I am with all my troubles...
things don't get better, there must be something nesting somewhere that keeps generating various malware... everytime I scan the system things are found and cleaned, but with every reboot there they are again...
even me can tell some of them, like "*countrydial.exe*" or "*read1write.exe*", or this "*paytime.exe*" that EWIDO seems to clean but nonetheless appears again if I redo the scan...
there is also something that tries to connect automatically to the internet...
besides, I have this "*e1xplorer*" thing that launches automatically when the OS is launched, and links to this "*secure32.html*" that hijacks the browser to sex sites or even blocks the surfing at all... I "fool" it with changing manually the start page of the browser, but sometimes it doesn't work...

this is what I did today:

scanned the system with ewido (log #1)
launched BFU (in safe mode) with the alcanshorty script, as you told me.
Having still things popping up, scanned again with ewido (log #2)
executed HJT for the log to be read by you (HJT log)
just for fun, launched
again Ewido, and still found things... (log #3)

even right now, while typing this post, AntiVir has stopped something:
coming from *C:\WINDOWS\system32\TFTP2744 *- AntiVir says it contains a signature of the backdoor program *BDS/Codbot.AH*

and whenever I connect, the outgoing bytes are enormously high...

do you think I have any hope of "recovering"?
looking forward to your reply,
bye, and thank you...

*EWIDO LOG #1*
+ Creato il: 16.15.43, 17/04/2006
+ Report-Checksum: 29834B12

+ Risultati scansione:

[648] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.d : Pulito con Backup
[2392] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Pulito con Backup
[2800] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Errore durante la pulizia
[2956] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Errore durante la pulizia
[3084] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Errore durante la pulizia
[3100] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Errore durante la pulizia
[3148] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Errore durante la pulizia
[3256] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Errore durante la pulizia
[3264] C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Errore durante la pulizia
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\DTXSWC42\dytis[1].txt -> Trojan.Sinowal.d : Pulito con Backup
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\L4S1CQSL\nlgwfcz[1].txt -> Hijacker.StartPage.adi : Pulito con Backup
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Pulito con Backup
C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.d : Pulito con Backup
C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.exe -> Trojan.Sinowal.d : Pulito con Backup
C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.d : Pulito con Backup

::Fine Rapporto

*EWIDO LOG #2 (after BFU)*

+ Creato il: 18.05.59, 17/04/2006
+ Report-Checksum: 32E7E5A9

+ Risultati scansione:

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\DTXSWC42\nlgwfcz[1].txt -> Hijacker.StartPage.adi : Pulito con Backup
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\L4S1CQSL\rfqtp[1].txt -> Hijacker.Small.kr : Pulito con Backup
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\R4YDL56F\nlgwfcz[1].txt -> Hijacker.StartPage.adi : Pulito con Backup
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\R4YDL56F\rfqtp[1].txt -> Hijacker.Small.kr : Pulito con Backup
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Pulito con Backup
C:\tool5.exe -> Hijacker.Small.kr : Pulito con Backup

::Fine Rapporto

*HJT LOG*

Logfile of HijackThis v1.99.1
Scan saved at 19.31.31, on 17/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Downlo~1\rfh33w7\fgzr1.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\mnmsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\WINDOWS\system32\wssec.exe
C:\WINDOWS\explorer.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\windows\mousepad11.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\Program Files\paytime.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\Programmi\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00004.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [newname] C:\windows\newname11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: www.1987324.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

*EWIDO LOG #3*

+ Creato il: 20.56.37, 17/04/2006
+ Report-Checksum: BC96918E

+ Risultati scansione:

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\DTXSWC42\nlgwfcz[1].txt -> Hijacker.StartPage.adi : Pulito con Backup
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\DTXSWC42\rfqtp[1].txt -> Hijacker.Small.kr : Pulito con Backup
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Pulito con Backup
C:\tool5.exe -> Hijacker.Small.kr : Pulito con Backup

::Fine Rapporto


----------



## cybertech (Apr 16, 2002)

*Download this tool
http://www.mvps.org/winhelp2002/DelDomains.inf
Right click on the file and choose install.

* Download Cleanup from *Here* 
A window will open and choose *SAVE*, then *DESKTOP* as the destination.
On your Desktop, click on *Cleanup40.exe icon.*
Then, click *RUN* and place a checkmark beside "*I Agree*"
Then click *NEXT* followed by *START* and *OK.*
A window will appear with many choices, *keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.*
Click* OK*
*DO NOT RUN IT YET*

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

*Run HJT again and put a check in the following:*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00004.exe"
O4 - HKLM\..\Run: [newname] C:\windows\newname11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe

*Close all applications and browser windows before you click "fix checked".*

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
In the "Full Path of File to Delete" box, copy and paste the following lines.

*C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00004.exe
C:\windows\newname11.exe
C:\windows\mousepad11.exe
C:\windows\keyboard11.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\Program Files\paytime.exe*

Click on the button that has the red circle with the X in the middle after you enter the file name. 
It will ask for confimation to delete the file. 
Click *Yes*. 
It will ask if you want to reboot now,
Click *No*.

*Note:* It is possible that Killbox will tell you that the file does not exist.

Exit the Killbox.

* Run Cleanup:
Click on the "*Cleanup*" button and let it run.
Once its done, *close the program*.

* Go to Internet Options, Programs
Click the *"Reset Web Settings" * Button to reset your home and search pages.

* Restart back into Windows normally now.

* Run Kaspersky online virus scan *here*. 
When the scan is finished, Save the results from the scan!

* Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

*Post a new HiJackThis log along with the results from Kaspersky scan and the smithfraudfix report.*


----------



## emmameyer (Apr 12, 2006)

Dear Cybertech, I have done all you asked (with great difficulties, because downloading and installing things is really tough...) though things are still there... this *e1xplorer *software is still on my application bar and all the other things keep on appearing...  
I have started to back up all my files, just in case you tell me to format everything...  

The thing is, whatever I do there are nested restoring .exe, and the more I stay connected (to do the Kaspersky scanning, for instance) the more things appear... and the "upload" bytes are still enormously high, while connected...

Anyway, here are the reports you've asked for, plus a copy of the CleanUp! results (you didn't ask for it, but maybe it can help... or not...)
All things are posted on different posts due to the lenght of the messages...

thank you, sadly,
Giulia


----------



## emmameyer (Apr 12, 2006)

*CleanUp log*

CleanUp! started on 04/18/06 13:01:39.
...
C:\Documents and Settings\io\Recent\Quem_queritis.doc.lnk - deleted
C:\Documents and Settings\io\Recent\questionario di autovalutazione 04.doc.lnk - deleted
C:\Documents and Settings\io\Recent\QUIZ 1.doc.lnk - deleted
C:\Documents and Settings\io\Recent\QUIZ E ESAMI_spring06.doc.lnk - deleted
C:\Documents and Settings\io\Recent\quiz.lnk - deleted
C:\Documents and Settings\io\Recent\quiz1 (2).lnk - deleted
C:\Documents and Settings\io\Recent\quiz1 (3).lnk - deleted
C:\Documents and Settings\io\Recent\quiz1.lnk - deleted
C:\Documents and Settings\io\Recent\quiz4.lnk - deleted
C:\Documents and Settings\io\Recent\quiz4_111.doc.lnk - deleted
C:\Documents and Settings\io\Recent\quiz_111.lnk - deleted
C:\Documents and Settings\io\Recent\radio_odori.doc.lnk - deleted
C:\Documents and Settings\io\Recent\raffrontotestoitaliano-francese.doc.lnk - deleted
C:\Documents and Settings\io\Recent\Readme.txt.lnk - deleted
C:\Documents and Settings\io\Recent\recensione_Rossi_Fontana.doc.lnk - deleted
C:\Documents and Settings\io\Recent\recens_RossiFontana_rev.zip.lnk - deleted
C:\Documents and Settings\io\Recent\registrazioneTINit.txt.lnk - deleted
C:\Documents and Settings\io\Recent\renne.zip.lnk - deleted
C:\Documents and Settings\io\Recent\rettangolo.psd.lnk - deleted
C:\Documents and Settings\io\Recent\rev (2).lnk - deleted
C:\Documents and Settings\io\Recent\rev.lnk - deleted
C:\Documents and Settings\io\Recent\Re_ Online form_ FTP - Richiesta di assistenza tecnica.eml.lnk - deleted
C:\Documents and Settings\io\Recent\ricordatidime.lnk - deleted
C:\Documents and Settings\io\Recent\Ricordi.pps.lnk - deleted
C:\Documents and Settings\io\Recent\ricord_r.zip.lnk - deleted
C:\Documents and Settings\io\Recent\ridotte.lnk - deleted
C:\Documents and Settings\io\Recent\Rinaldo_bozza.doc.lnk - deleted
C:\Documents and Settings\io\Recent\ristcollett_ita.htm.lnk - deleted
C:\Documents and Settings\io\Recent\rtf.lnk - deleted
C:\Documents and Settings\io\Recent\rw.nri.lnk - deleted
C:\Documents and Settings\io\Recent\RyanAir.lnk - deleted
C:\Documents and Settings\io\Recent\Ryanair_Giulia_17apr.htm.lnk - deleted
C:\Documents and Settings\io\Recent\Ryanair_Giulia_31mar-3apr.htm.lnk - deleted
C:\Documents and Settings\io\Recent\sala_regina_testa.psd.lnk - deleted
C:\Documents and Settings\io\Recent\salve_wundt.swf.lnk - deleted
C:\Documents and Settings\io\Recent\schbuo_fr.htm.lnk - deleted
C:\Documents and Settings\io\Recent\schede gramm mie.lnk - deleted
C:\Documents and Settings\io\Recent\schede.doc.lnk - deleted
C:\Documents and Settings\io\Recent\schfre_it.htm.lnk - deleted
C:\Documents and Settings\io\Recent\script_finestre_flash.txt.lnk - deleted
C:\Documents and Settings\io\Recent\scritt_r.zip.lnk - deleted
C:\Documents and Settings\io\Recent\scrivere_lettera.doc.lnk - deleted
C:\Documents and Settings\io\Recent\SE IO FOSSI UN ANGELO.doc.lnk - deleted
C:\Documents and Settings\io\Recent\secure32.html.lnk - deleted
C:\Documents and Settings\io\Recent\services.lnk - deleted
C:\Documents and Settings\io\Recent\servizi.lnk - deleted
C:\Documents and Settings\io\Recent\servizio_colazione.doc.lnk - deleted
C:\Documents and Settings\io\Recent\sfondo_main.gif.lnk - deleted
C:\Documents and Settings\io\Recent\sfondo_main_short.gif.lnk - deleted
C:\Documents and Settings\io\Recent\shots.psd.lnk - deleted
C:\Documents and Settings\io\Recent\SILSIS 2003-04 II anno - Programma.doc.lnk - deleted
C:\Documents and Settings\io\Recent\SILSIS.lnk - deleted
C:\Documents and Settings\io\Recent\Sinks.pdf.lnk - deleted
C:\Documents and Settings\io\Recent\sistema_politico_italiano.doc.lnk - deleted
C:\Documents and Settings\io\Recent\sito.lnk - deleted
C:\Documents and Settings\io\Recent\Snapshot Viewer.lnk - deleted
C:\Documents and Settings\io\Recent\sostenitori1.htm.lnk - deleted
C:\Documents and Settings\io\Recent\stanzatutti.fla.lnk - deleted
C:\Documents and Settings\io\Recent\stanze.lnk - deleted
C:\Documents and Settings\io\Recent\storia4.htm.lnk - deleted
C:\Documents and Settings\io\Recent\stringa_stampa_cartella.txt.lnk - deleted
C:\Documents and Settings\io\Recent\struttura.doc.lnk - deleted
C:\Documents and Settings\io\Recent\SUCCHI_B_75x110rast.zip.lnk - deleted
C:\Documents and Settings\io\Recent\Swing when you're winning.m3u (2).lnk - deleted
C:\Documents and Settings\io\Recent\syllab_111PO1_fall03.doc.lnk - deleted
C:\Documents and Settings\io\Recent\s_pasto.doc.lnk - deleted
C:\Documents and Settings\io\Recent\teach_yourself.lnk - deleted
C:\Documents and Settings\io\Recent\Teatro del Maggio Musicale Fiorentino Fondazione.htm.lnk - deleted
C:\Documents and Settings\io\Recent\tech_guy.lnk - deleted
C:\Documents and Settings\io\Recent\telefoni.fla.lnk - deleted
C:\Documents and Settings\io\Recent\tesi_johannsson.htm.lnk - deleted
C:\Documents and Settings\io\Recent\TESI_TRIFONE.lnk - deleted
C:\Documents and Settings\io\Recent\TEST.lnk - deleted
C:\Documents and Settings\io\Recent\test2_daniel2.doc.lnk - deleted
C:\Documents and Settings\io\Recent\test3.lnk - deleted
C:\Documents and Settings\io\Recent\TESTI (2).lnk - deleted
C:\Documents and Settings\io\Recent\testi (3).lnk - deleted
C:\Documents and Settings\io\Recent\testi.lnk - deleted
C:\Documents and Settings\io\Recent\testi_canzoni-varie.doc.lnk - deleted
C:\Documents and Settings\io\Recent\testi_iobevo-fr.doc.lnk - deleted
C:\Documents and Settings\io\Recent\testi_pieg.lnk - deleted
C:\Documents and Settings\io\Recent\testi_vari.lnk - deleted
C:\Documents and Settings\io\Recent\testo_descrittivo_sensi.lnk - deleted
C:\Documents and Settings\io\Recent\testo_gaia.doc.lnk - deleted
C:\Documents and Settings\io\Recent\test_19marzo02.doc (2).lnk - deleted
C:\Documents and Settings\io\Recent\test_19marzo02.doc.lnk - deleted
C:\Documents and Settings\io\Recent\test_21maggio02.doc.lnk - deleted
C:\Documents and Settings\io\Recent\test_2maggio02.doc.lnk - deleted
C:\Documents and Settings\io\Recent\test_7marzo02.doc.lnk - deleted
C:\Documents and Settings\io\Recent\tettuccio2.jpg.lnk - deleted
C:\Documents and Settings\io\Recent\tettuccio3.jpg.lnk - deleted
C:\Documents and Settings\io\Recent\THUMB1 (2).lnk - deleted
C:\Documents and Settings\io\Recent\THUMB1.lnk - deleted
C:\Documents and Settings\io\Recent\tonde.lnk - deleted
C:\Documents and Settings\io\Recent\top.jpg.lnk - deleted
C:\Documents and Settings\io\Recent\TrapaniTaxi.htm.lnk - deleted
C:\Documents and Settings\io\Recent\Tratti testuali.doc.lnk - deleted
C:\Documents and Settings\io\Recent\TRAVAUX.ISO.lnk - deleted
C:\Documents and Settings\io\Recent\TRECCANI.lnk - deleted
C:\Documents and Settings\io\Recent\trojan.doc.lnk - deleted
C:\Documents and Settings\io\Recent\truffa.doc.lnk - deleted
C:\Documents and Settings\io\Recent\ultime_gio.lnk - deleted
C:\Documents and Settings\io\Recent\Una pietra sopra 1980-2.doc.lnk - deleted
C:\Documents and Settings\io\Recent\Unità CD (2).lnk - deleted
C:\Documents and Settings\io\Recent\Unità CD (3).lnk - deleted
C:\Documents and Settings\io\Recent\Unità CD.lnk - deleted
C:\Documents and Settings\io\Recent\UntitledFrameset-49.htm.lnk - deleted
C:\Documents and Settings\io\Recent\URL.txt.lnk - deleted
C:\Documents and Settings\io\Recent\VAIO (C) (2).lnk - deleted
C:\Documents and Settings\io\Recent\VAIO (C).lnk - deleted
C:\Documents and Settings\io\Recent\VAIO (D).lnk - deleted
C:\Documents and Settings\io\Recent\Vari senza niente.doc.lnk - deleted
C:\Documents and Settings\io\Recent\VariazioniGoldberg.m3u.lnk - deleted
C:\Documents and Settings\io\Recent\varie italiani.lnk - deleted
C:\Documents and Settings\io\Recent\varie.lnk - deleted
C:\Documents and Settings\io\Recent\varie_CV+lettera.doc.lnk - deleted
C:\Documents and Settings\io\Recent\varie_Fiumi.doc.lnk - deleted
C:\Documents and Settings\io\Recent\varie_moda.doc.lnk - deleted
C:\Documents and Settings\io\Recent\vdb1989.lnk - deleted
C:\Documents and Settings\io\Recent\versione_1.doc.lnk - deleted
C:\Documents and Settings\io\Recent\vill_it.htm.lnk - deleted
C:\Documents and Settings\io\Recent\Vincenzo Consolo.doc.lnk - deleted
C:\Documents and Settings\io\Recent\VOICE039.MP3.lnk - deleted
C:\Documents and Settings\io\Recent\volantino_drink_b.cdr.lnk - deleted
C:\Documents and Settings\io\Recent\vti.doc.lnk - deleted
C:\Documents and Settings\io\Recent\v_tab.doc.lnk - deleted
C:\Documents and Settings\io\Recent\waring_1000_heads.txt.lnk - deleted
C:\Documents and Settings\io\Recent\web_page_links.lnk - deleted
C:\Documents and Settings\io\Recent\W_AU.doc.lnk - deleted
C:\Documents and Settings\io\Recent\Yoghurt.doc.lnk - deleted
C:\Documents and Settings\io\Recent\Z.doc.lnk - deleted
C:\Documents and Settings\io\Recent\Zelenka-Missa dei fili.m3u.lnk - deleted
C:\Documents and Settings\io\Recent\ZoneAlarm.lnk - deleted
C:\Documents and Settings\io\Recent\_servizi_ita.htm.lnk - deleted
C:\Documents and Settings\michael\Recent\100DC280.lnk - deleted
C:\Documents and Settings\michael\Recent\100_0877.lnk - deleted
C:\Documents and Settings\michael\Recent\100_0944.lnk - deleted
C:\Documents and Settings\michael\Recent\100_0967.lnk - deleted
C:\Documents and Settings\michael\Recent\17-21dicembre_MDL.lnk - deleted
C:\Documents and Settings\michael\Recent\1WoZi mit Kaminofen.lnk - deleted
C:\Documents and Settings\michael\Recent\2005_10_london.lnk - deleted
C:\Documents and Settings\michael\Recent\anteprima LA GRANDE SEDUZIONE.lnk - deleted
C:\Documents and Settings\michael\Recent\anteprima PARAGRAPH.lnk - deleted
C:\Documents and Settings\michael\Recent\Bischheim1.lnk - deleted
C:\Documents and Settings\michael\Recent\Bischheim2_villa.lnk - deleted
C:\Documents and Settings\michael\Recent\bookmark1.lnk - deleted
C:\Documents and Settings\michael\Recent\Buettelborn1.lnk - deleted
C:\Documents and Settings\michael\Recent\B_F_1_basic.lnk - deleted
C:\Documents and Settings\michael\Recent\B_F_2a_basic.lnk - deleted
C:\Documents and Settings\michael\Recent\B_F_2_basic.lnk - deleted
C:\Documents and Settings\michael\Recent\B_F_3_basic.lnk - deleted
C:\Documents and Settings\michael\Recent\B_F_4_expose.lnk - deleted
C:\Documents and Settings\michael\Recent\B_F_6_basic.lnk - deleted
C:\Documents and Settings\michael\Recent\B_F_7_basic.lnk - deleted
C:\Documents and Settings\michael\Recent\DCP_2047.lnk - deleted
C:\Documents and Settings\michael\Recent\DCP_3989.lnk - deleted
C:\Documents and Settings\michael\Recent\DCP_4022.lnk - deleted
C:\Documents and Settings\michael\Recent\Disco rimovibile (G).lnk - deleted
C:\Documents and Settings\michael\Recent\Documenti.lnk - deleted
C:\Documents and Settings\michael\Recent\Exponat 530003MAF.lnk - deleted
C:\Documents and Settings\michael\Recent\Galetto, Rossi, Bernardy, Borgese, Papa.lnk - deleted
C:\Documents and Settings\michael\Recent\Gernsheim1.lnk - deleted
C:\Documents and Settings\michael\Recent\GG1.lnk - deleted
C:\Documents and Settings\michael\Recent\Hauser.lnk - deleted
C:\Documents and Settings\michael\Recent\Hofreite.lnk - deleted
C:\Documents and Settings\michael\Recent\Immagini campione.lnk - deleted
C:\Documents and Settings\michael\Recent\macch_papa.lnk - deleted
C:\Documents and Settings\michael\Recent\mmm.lnk - deleted
C:\Documents and Settings\michael\Recent\Moerfelden1.lnk - deleted
C:\Documents and Settings\michael\Recent\My Pictures.lnk - deleted
C:\Documents and Settings\michael\Recent\Nauheim1.lnk - deleted
C:\Documents and Settings\michael\Recent\originali.lnk - deleted
C:\Documents and Settings\michael\Recent\PICT0007.lnk - deleted
C:\Documents and Settings\michael\Recent\portapenne.lnk - deleted
C:\Documents and Settings\michael\Recent\Ruess1.lnk - deleted
C:\Documents and Settings\michael\Recent\Ryanair_com - 17dic-5gen.lnk - deleted
C:\Documents and Settings\michael\Recent\Ryanair_com - GM dic26 - gen1.lnk - deleted
C:\Documents and Settings\michael\Recent\Unità CD.lnk - deleted
C:\Documents and Settings\Administrator\Recent\Rapporto Scansione_20060413.lnk - deleted
C:\Documents and Settings\Administrator\Recent\ZALog.lnk - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\$b17a2e8.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLB2.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLB20.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLB4.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLC3.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLC6.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLF10.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLF11.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLF12.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLF13.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLF7.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLF8.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLF9.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLFA.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLFB.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLFB.xml - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLFC.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLFD.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLFE.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLFF.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLG6.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLG9.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLH4.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\GLH7.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\h2r11.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\jusched.log - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsd5.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\SET1.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\SET3.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\TWAIN.LOG - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\Twain001.Mtx - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\Twunk001.MTX - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\Twunk002.MTX - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\txt14.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\txt2.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\txt3.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\vsutil.dll - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\zl_priv.htm - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\~DF31EA.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\~DF4C42.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\~DF5CCB.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\~DF8282.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\~DF8C88.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\~e5d141.tmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\AccessControl.dll - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\download.ini - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\ewidooptions.ini - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\InstallOptions.dll - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\ioSpecial.ini - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\LangDLL.dll - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\modern-header.bmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\modern-wizard.bmp - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\StartMenu.dll - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\System.dll - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\UserInfo.dll - deleted
C:\DOCUME~1\io\IMPOST~1\Temp\nsi6.tmp\ - deleted
C:\WINDOWS\temp\$_2341233.TMP - deleted
C:\WINDOWS\temp\$_2341234.TMP - deleted
C:\WINDOWS\temp\$_2341235.TMP - deleted
C:\WINDOWS\temp\adv.exe - deleted
C:\WINDOWS\temp\apihelp.chm - deleted
C:\WINDOWS\temp\apihelp2.chm - deleted
C:\WINDOWS\temp\JET6198.tmp - deleted
C:\WINDOWS\temp\nsbB.tmp - deleted
C:\WINDOWS\temp\nsg13.tmp - deleted
C:\WINDOWS\temp\nsl15.tmp - deleted
C:\WINDOWS\temp\nsx20.tmp - deleted
C:\WINDOWS\temp\T30DebugLogFile.txt - deleted
C:\Documents and Settings\michael\Cookies\index.dat - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][3].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected]_search[1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\michael\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\LocalService\Cookies\index.dat - deleted
C:\Documents and Settings\io\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\io\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Default User\Cookies\index.dat - deleted
C:\Documents and Settings\Administrator\Cookies\index.dat - deleted
C:\WINDOWS\Prefetch\50254.EXE-01A02926.pf - deleted
C:\WINDOWS\Prefetch\ACRORD32.EXE-00C8DC2E.pf - deleted
C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-153EC688.pf - deleted
C:\WINDOWS\Prefetch\ADOBE GAMMA LOADER.EXE-0197D328.pf - deleted
C:\WINDOWS\Prefetch\ADOBELMSVC.EXE-2C2F1F74.pf - deleted
C:\WINDOWS\Prefetch\AGRSMMSG.EXE-0034A7F7.pf - deleted
C:\WINDOWS\Prefetch\ANTIVIR_WORKSTATION_WIN7U_EN_-03020894.pf - deleted
C:\WINDOWS\Prefetch\AUPDATE.EXE-10D4E07C.pf - deleted
C:\WINDOWS\Prefetch\AVCENTER.EXE-105EC395.pf - deleted
C:\WINDOWS\Prefetch\AVCONFIG.EXE-0C2B6B88.pf - deleted
C:\WINDOWS\Prefetch\AVGNT.EXE-0C02A9E8.pf - deleted
C:\WINDOWS\Prefetch\AVGNT.EXE-0F4341E4.pf - deleted
C:\WINDOWS\Prefetch\AVGUARD.EXE-14133B6F.pf - deleted
C:\WINDOWS\Prefetch\AVGUARD.EXE-18EF2063.pf - deleted
C:\WINDOWS\Prefetch\AVNOTIFY.EXE-2508735D.pf - deleted
C:\WINDOWS\Prefetch\AVNOTIFY.EXE-291D1689.pf - deleted
C:\WINDOWS\Prefetch\AVSCAN.EXE-2178A868.pf - deleted
C:\WINDOWS\Prefetch\AVUNINST.EXE-21A88549.pf - deleted
C:\WINDOWS\Prefetch\AVWIN.EXE-16EF993C.pf - deleted
C:\WINDOWS\Prefetch\BFU.EXE-226FCFD7.pf - deleted
C:\WINDOWS\Prefetch\BLGHIOPFY.EXE-03A79B94.pf - deleted
C:\WINDOWS\Prefetch\CIDAEMON.EXE-27AE97A4.pf - deleted
C:\WINDOWS\Prefetch\CLONEDVD.EXE-3A46067C.pf - deleted
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf - deleted
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf - deleted
C:\WINDOWS\Prefetch\DELUS.EXE-1FE13BD1.pf - deleted
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf - deleted
C:\WINDOWS\Prefetch\DRSMARTLOAD1.EXE-04DD9FC7.pf - deleted
C:\WINDOWS\Prefetch\DRSMARTLOAD45A.EXE-2B2E74BE.pf - deleted
C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf - deleted
C:\WINDOWS\Prefetch\DVDDECRYPTER.EXE-39FEE0EC.pf - deleted
C:\WINDOWS\Prefetch\EDITPAD.EXE-012FDD07.pf - deleted
C:\WINDOWS\Prefetch\ELBYCHECK.EXE-1AFF8C81.pf - deleted
C:\WINDOWS\Prefetch\EWIDO-SETUP.EXE-35253F76.pf - deleted
C:\WINDOWS\Prefetch\EXPAND.EXE-2490DB85.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf - deleted
C:\WINDOWS\Prefetch\EZSP_PX.EXE-1E169BED.pf - deleted
C:\WINDOWS\Prefetch\E_S10MT2.EXE-0E680929.pf - deleted
C:\WINDOWS\Prefetch\E_S10RN2.EXE-38983110.pf - deleted
C:\WINDOWS\Prefetch\FGZR1.EXE-35AB8CD2.pf - deleted
C:\WINDOWS\Prefetch\FGZR1T.EXE-01C2492B.pf - deleted
C:\WINDOWS\Prefetch\FIND.EXE-0EC32F1E.pf - deleted
C:\WINDOWS\Prefetch\FTP.EXE-0FFFB5A3.pf - deleted
C:\WINDOWS\Prefetch\FVSLHPT.EXE-0326161E.pf - deleted
C:\WINDOWS\Prefetch\GUARDGUI.EXE-1D385341.pf - deleted
C:\WINDOWS\Prefetch\GUARDGUI.EXE-214CF66D.pf - deleted
C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-37AD0A02.pf - deleted
C:\WINDOWS\Prefetch\HIXNDERE.EXE-11F9BC34.pf - deleted
C:\WINDOWS\Prefetch\HOTSYNC.EXE-0685AA38.pf - deleted
C:\WINDOWS\Prefetch\IEXPLORE.EXE-1BA17782.pf - deleted
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf - deleted
C:\WINDOWS\Prefetch\INETUPD.EXE-08A26049.pf - deleted
C:\WINDOWS\Prefetch\IPCONFIG.EXE-2395F30B.pf - deleted
C:\WINDOWS\Prefetch\I_VIEW32.EXE-2592C0A1.pf - deleted
C:\WINDOWS\Prefetch\JAVA.EXE-092858A3.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-1DA9F6E6.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-2D52BD80.pf - deleted
C:\WINDOWS\Prefetch\JINSTALL.EXE-2C657251.pf - deleted
C:\WINDOWS\Prefetch\JUCHECK.EXE-1C0EF04C.pf - deleted
C:\WINDOWS\Prefetch\KCWKMHROPJ.EXE-318BF782.pf - deleted
C:\WINDOWS\Prefetch\KEYBOARD10.EXE-142CC3C8.pf - deleted
C:\WINDOWS\Prefetch\LAUNCHER.EXE-36E625CE.pf - deleted
C:\WINDOWS\Prefetch\Layout.ini - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf - deleted
C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf - deleted
C:\WINDOWS\Prefetch\MDM.EXE-07915C2C.pf - deleted
C:\WINDOWS\Prefetch\MMC.EXE-05A52EBC.pf - deleted
C:\WINDOWS\Prefetch\MMC.EXE-38DDEDC9.pf - deleted
C:\WINDOWS\Prefetch\MNMSRV.EXE-07F5CD92.pf - deleted
C:\WINDOWS\Prefetch\MOUSEDRV.EXE-06190F92.pf - deleted
C:\WINDOWS\Prefetch\MOUSEPAD10.EXE-040A5BD7.pf - deleted
C:\WINDOWS\Prefetch\MPSHUNF.EXE-01E50188.pf - deleted
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf - deleted
C:\WINDOWS\Prefetch\MSIMN.EXE-0C000A90.pf - deleted
C:\WINDOWS\Prefetch\NDETECT.EXE-1C426B47.pf - deleted
C:\WINDOWS\Prefetch\NERO.EXE-39AB114D.pf - deleted
C:\WINDOWS\Prefetch\NEWNAME10.EXE-3865E82F.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted
C:\WINDOWS\Prefetch\NOTIFIER.EXE-13293E80.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\NWIZ.EXE-2D0F9FBC.pf - deleted
C:\WINDOWS\Prefetch\OIQTYOWXTJF.EXE-35395EE7.pf - deleted
C:\WINDOWS\Prefetch\PATCH.EXE-3294C802.pf - deleted
C:\WINDOWS\Prefetch\PATCHJRE.EXE-04247533.pf - deleted
C:\WINDOWS\Prefetch\PHOTOSHOP.EXE-2625937F.pf - deleted
C:\WINDOWS\Prefetch\PING.EXE-31216D26.pf - deleted
C:\WINDOWS\Prefetch\POKER.EXE-11577639.pf - deleted
C:\WINDOWS\Prefetch\POWERDVD.EXE-1F2C37AA.pf - deleted
C:\WINDOWS\Prefetch\PPLKJKXI.EXE-1215403B.pf - deleted
C:\WINDOWS\Prefetch\PSDRVCHECK.EXE-04674802.pf - deleted
C:\WINDOWS\Prefetch\QTTASK.EXE-27A34FF0.pf - deleted
C:\WINDOWS\Prefetch\RASPHONE.EXE-11B5949C.pf - deleted
C:\WINDOWS\Prefetch\RDNSOJUQCXJ.EXE-36CFF5E7.pf - deleted
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-12E6ED95.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-15E942E0.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-246D3832.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-26FC70F9.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-483FB7B9.pf - deleted
C:\WINDOWS\Prefetch\SCHED.EXE-2DDD468C.pf - deleted
C:\WINDOWS\Prefetch\SERVICES.EXE-2B0DDD57.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-3833E368.pf - deleted
C:\WINDOWS\Prefetch\SETUP_34844.EXE-31E4EAC6.pf - deleted
C:\WINDOWS\Prefetch\SGTRAY.EXE-3031B1EF.pf - deleted
C:\WINDOWS\Prefetch\SK02.EXE-04C93FEB.pf - deleted
C:\WINDOWS\Prefetch\SMLOGSVC.EXE-054B1E6C.pf - deleted
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf - deleted
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted
C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf - deleted
C:\WINDOWS\Prefetch\TSC.EXE-1BCEE377.pf - deleted
C:\WINDOWS\Prefetch\ULTRADEV.EXE-1F52D0E8.pf - deleted
C:\WINDOWS\Prefetch\UNPACK200.EXE-2D6FD5FC.pf - deleted
C:\WINDOWS\Prefetch\UPGRADE.EXE-2E5E8BB6.pf - deleted
C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf - deleted
C:\WINDOWS\Prefetch\VOBREGCHECK.EXE-177EFCCF.pf - deleted
C:\WINDOWS\Prefetch\WINAMP.EXE-0D680603.pf - deleted
C:\WINDOWS\Prefetch\WINAMPA.EXE-0976BF67.pf - deleted
C:\WINDOWS\Prefetch\WINHLP32.EXE-2C18E975.pf - deleted
C:\WINDOWS\Prefetch\WINWORD.EXE-2CF688F7.pf - deleted
C:\WINDOWS\Prefetch\WINZIP32.EXE-335422C1.pf - deleted
C:\WINDOWS\Prefetch\WMIAPSRV.EXE-1E2270A5.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-3717B9A6.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf - deleted
C:\WINDOWS\Prefetch\XP.AU-1E168CD0.pf - deleted
C:\WINDOWS\Prefetch\ZIPPER.EXE-0E7419AC.pf - deleted
C:\WINDOWS\Prefetch\~E5D141.TMP-318538E5.pf - deleted
C:\tmp\Check.dat - deleted
C:\tmp\InstantCopy.exe - deleted
C:\tmp\InstantCopy.ini - deleted
C:\tmp\InstantCopy.msi - deleted
C:\tmp\S6E10XV47XP.EXE - deleted
C:\tmp\eudora\Eudora_6.0.3.exe - deleted
C:\tmp\eudora\ - deleted
C:\tmp\InstantCopy7\autorun.inf - deleted
C:\tmp\InstantCopy7\serial.txt - deleted
C:\tmp\InstantCopy7\Setup.exe - deleted
C:\tmp\InstantCopy7\Setup.ini - deleted
C:\tmp\InstantCopy7\Acrobat\Acrobat.exe - deleted
C:\tmp\InstantCopy7\Acrobat\ - deleted
C:\tmp\InstantCopy7\Bin\demo32.exe - deleted
C:\tmp\InstantCopy7\Bin\Installation.dbd - deleted
C:\tmp\InstantCopy7\Bin\Installation.txt - deleted
C:\tmp\InstantCopy7\Bin\ - deleted
C:\tmp\InstantCopy7\InstantCopy\InstantCopy.exe - deleted
C:\tmp\InstantCopy7\InstantCopy\InstantCopy.ini - deleted
C:\tmp\InstantCopy7\InstantCopy\InstantCopy.msi - deleted
C:\tmp\InstantCopy7\InstantCopy\instmsi.exe - deleted
C:\tmp\InstantCopy7\InstantCopy\instmsiw.exe - deleted
C:\tmp\InstantCopy7\InstantCopy\Trans1031.mst - deleted
C:\tmp\InstantCopy7\InstantCopy\Trans1034.mst - deleted
C:\tmp\InstantCopy7\InstantCopy\Trans1036.mst - deleted
C:\tmp\InstantCopy7\InstantCopy\Trans1040.mst - deleted
C:\tmp\InstantCopy7\InstantCopy\Trans1043.mst - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\BDA.cab - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\BDANT.cab - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\cfgmgr32.dll - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\DirectX.cab - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\DSETUP.dll - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\dsetup32.dll - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\dxnt.cab - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\dxsetup.exe - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\setupapi.dll - deleted
C:\tmp\InstantCopy7\InstantCopy\DirectX\ - deleted
C:\tmp\InstantCopy7\InstantCopy\ - deleted
C:\tmp\InstantCopy7\Manual\InstantCopy_eng.pdf - deleted
C:\tmp\InstantCopy7\Manual\InstantCopy_fre.PDF - deleted
C:\tmp\InstantCopy7\Manual\InstantCopy_ger.pdf - deleted
C:\tmp\InstantCopy7\Manual\InstantCopy_ita.pdf - deleted
C:\tmp\InstantCopy7\Manual\InstantCopy_ned.pdf - deleted
C:\tmp\InstantCopy7\Manual\InstantCopy_spa.PDF - deleted
C:\tmp\InstantCopy7\Manual\ - deleted
C:\tmp\InstantCopy7\ - deleted
'Run MRU' list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
WinZip Extract MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.5.1 recovered 98.2 MB of disk space from 875 files.
CleanUp! finished on 04/18/06 13:02:13.


----------



## emmameyer (Apr 12, 2006)

*KASPERSKY REPORT*

KASPERSKY ON-LINE SCANNER REPORTKASPERSKY ON-LINE SCANNER REPORT 
Tuesday, April 18, 2006 9:30:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 
2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 18/04/2006
Kaspersky Anti-Virus database records: 177354

Scan Settings
Scan using the following antivirus databasestandard
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects103697
Number of viruses found24
Number of infected objects148
Number of suspicious objects0
Duration of the scan process01:10:50

Infected Object NameVirus NameLast Action
C:\!KillBox\paytime.exe Infected: Trojan.Win32.StartPage.adi skipped

C:\!KillBox\spoolsvc.exe Infected: Packed.Win32.Tibs skipped

C:\countrydial.exe Infected: Packed.Win32.Tibs skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\rfqtp[1].txt Infected: 
Trojan-Clicker.Win32.Small.kr skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\z[1].jpg/stream/data0001 Infected: 
Trojan-Downloader.Win32.Harnig.bg skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\z[1].jpg/stream Infected: 
Trojan-Downloader.Win32.Harnig.bg skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\z[1].jpg NSIS: infected - 2 skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\lkfhroxlam[1].htm Infected: 
Trojan.Win32.Harnig.k skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\lkfhroxlam[2].htm Infected: 
Trojan.Win32.Harnig.k skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\todlool[1].txt Infected: 
Trojan.Win32.StartPage.adi skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\dytis[1].txt Infected: 
Trojan-PSW.Win32.Sinowal.i skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\nlgwfcz[1].txt Infected: 
Trojan.Win32.StartPage.adi skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\puzjtisyn[1].txt Infected: 
Trojan-Clicker.Win32.Small.kr skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\sk02[1].exe/data0002 Infected: 
Trojan-Clicker.Win32.Small.jf skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\sk02[1].exe NSIS: infected - 1 skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\wrmoeebyr[1].txt Infected: 
Packed.Win32.Tibs skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\X4WRYELJ\htbapqzjp[1].txt Infected: 
Trojan-PSW.Win32.Sinowal.d skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\X4WRYELJ\mhgvspmwyk[1].txt Infected: 
Packed.Win32.Tibs skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\X4WRYELJ\qygseikhki[1].htm Infected: 
Trojan.Win32.Harnig.a skipped

C:\kl1.exe Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\Program Files\paytime.exe Infected: Trojan.Win32.StartPage.adi skipped

C:\Program Files\secure32.html Infected: Trojan.Win32.Harnig.a skipped

C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00033.dll 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00033.exe 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00034.dll 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\secure32.html Infected: Trojan.Win32.Harnig.a skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048021.exe 
Infected: Trojan-Downloader.Win32.Adload.ai skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048022.exe 
Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048076.exe 
Infected: Trojan-Downloader.Win32.Adload.ai skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048077.exe 
Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048090.exe 
Infected: Trojan-Downloader.Win32.Adload.ai skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048091.exe 
Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048102.exe 
Infected: Trojan-Downloader.Win32.Adload.ai skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048103.exe 
Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048104.dll 
Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048105.exe 
Infected: Trojan-Downloader.Win32.Adload.ae skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048106.exe 
Infected: Trojan-Downloader.Win32.Adload.am skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048107.exe 
Infected: Trojan-Clicker.Win32.VB.mo skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0048108.exe 
Infected: Trojan-Downloader.Win32.Adload.an skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049118.exe/data0002 
Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049118.exe 
NSIS: infected - 1 skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049119.exe 
Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049120.exe 
Infected: Trojan-Downloader.Win32.Adload.an skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049121.exe 
Infected: Trojan-Downloader.Win32.Adload.ai skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049149.dll 
Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049151.exe 
Infected: Trojan-Downloader.Win32.Adload.ai skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049152.exe 
Infected: Trojan-Downloader.Win32.Adload.an skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049153.exe 
Infected: Trojan-Downloader.Win32.Adload.ai skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049154.exe 
Infected: Trojan-Downloader.Win32.Adload.am skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049155.exe 
Infected: Trojan-Clicker.Win32.VB.mo skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049156.exe 
Infected: Trojan-Downloader.Win32.Adload.ae skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049157.exe 
Infected: Backdoor.Win32.SdBot.xd skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049168.exe/stream/data0001 
Infected: Trojan-Downloader.Win32.Harnig.bh skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049168.exe/stream 
Infected: Trojan-Downloader.Win32.Harnig.bh skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049168.exe 
NSIS: infected - 2 skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049182.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049183.exe 
Infected: Trojan-Downloader.Win32.VB.aad skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049185.exe 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049188.exe/data0002 
Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049188.exe 
NSIS: infected - 1 skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049211.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP394\A0049212.exe 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049251.exe/data0002 
Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049251.exe 
NSIS: infected - 1 skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049259.dll 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049260.dll 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049928.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049932.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049933.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049945.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049946.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049947.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049949.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049960.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049972.exe/stream/data0001 
Infected: Trojan-Downloader.Win32.Harnig.bh skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049972.exe/stream 
Infected: Trojan-Downloader.Win32.Harnig.bh skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049972.exe 
NSIS: infected - 2 skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049973.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049974.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049975.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049977.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049979.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049981.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0049982.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050002.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050003.exe 
Infected: Trojan-Downloader.Win32.Harnig.bh skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050012.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050014.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050015.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050016.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050017.exe 
Infected: Backdoor.Win32.VB.ary skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050018.exe 
Infected: Trojan-Clicker.Win32.VB.mo skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050019.exe 
Infected: Trojan-Downloader.Win32.Adload.ae skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050020.exe 
Infected: Backdoor.Win32.SdBot.anx skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050021.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050034.exe/stream/data0001 
Infected: Trojan-Downloader.Win32.Harnig.bh skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050034.exe/stream 
Infected: Trojan-Downloader.Win32.Harnig.bh skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050034.exe 
NSIS: infected - 2 skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050039.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050040.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050041.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050056.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050058.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050059.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050060.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050063.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050065.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050081.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050082.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050083.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050084.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050085.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050087.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050092.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050103.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050110.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050112.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050127.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050128.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050129.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050130.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050135.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050137.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050731.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050732.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050739.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050740.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050741.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050743.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050749.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050765.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050766.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050770.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050771.exe 
Infected: Trojan.Win32.StartPage.adi skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050776.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050777.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050778.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050779.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050781.exe 
Infected: Packed.Win32.Tibs skipped

C:\System Volume 
Information\_restore{73D0C349-932A-4A19-AA1F-29AD581C9BC3}\RP395\A0050787.exe 
Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\tool5.exe Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\WINDOWS\Downloaded Program Files\rfh33w7\fgzr1.exe Infected: 
Email-Worm.Win32.LovGate.ap skipped

C:\WINDOWS\system32\dcomcfg.exe Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

C:\WINDOWS\system32\spoolsvc.exe Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\system32\sysmon.exe Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\system32\wssec.exe Infected: Backdoor.Win32.SdBot.apg skipped

C:\WINDOWS\Temp\adv.exe Infected: Trojan-Downloader.Win32.Harnig.bg 
skipped

Scan process completed.


----------



## emmameyer (Apr 12, 2006)

*SmitFraud REPORT*

SmitFraudFix v2.32

Scan done at 0.20.38,26, 19/04/2006
Run from C:\Documents and Settings\io\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\kl1.exe FOUND !
C:\secure32.html FOUND !
C:\tool5.exe FOUND !
C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\teller2.chk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\io\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Programmi

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## emmameyer (Apr 12, 2006)

*finally, the HJT log...*

Logfile of HijackThis v1.99.1
Scan saved at 0.04.22, on 19/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Downlo~1\rfh33w7\fgzr1.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\system32\wssec.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\paytime.exe
C:\Programmi\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00033.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NetMeeting Remote Desktop (mnmsrv) - Unknown owner - C:\WINDOWS\system32\mnmsrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)


----------



## cybertech (Apr 16, 2002)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HJT log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.


----------



## emmameyer (Apr 12, 2006)

Hi...

done...

*e1xplorer *still there...

*countrydial.exe *was on C:/ too, but I deleted it manually before doing the HJT...

here are the report and log...

can you hear my whining even across the ocean?...

 , Giulia

*SmitFraud report*

SmitFraudFix v2.32

Scan done at 2.12.34,28, 19/04/2006
Run from C:\Documents and Settings\io\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\kl1.exe Deleted
C:\secure32.html Deleted
C:\tool5.exe Deleted
C:\uniq Deleted
C:\WINDOWS\teller2.chk Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

*HJT log*

Logfile of HijackThis v1.99.1
Scan saved at 2.22.52, on 19/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Downlo~1\rfh33w7\fgzr1.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\system32\wssec.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\Programmi\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00043.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: www.1987324.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NetMeeting Remote Desktop (mnmsrv) - Unknown owner - C:\WINDOWS\system32\mnmsrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)


----------



## emmameyer (Apr 12, 2006)

hello... just a quick note to say that while typing the previous post, AntiVir has popped up signalling this file as dangerous:
*C:\WINDOWS\system32\71145.exe*
saying it contains the signature of
*WORM/Sdbot.178688.5*

...just to let you know.

bye, thank you for your time,
Giulia


----------



## cybertech (Apr 16, 2002)

Print out these instructions and perform them in safe mode.

*Run HJT again and put a check in the following:*

F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00043.exe"
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O15 - Trusted Zone: www.1987324.com
O23 - Service: NetMeeting Remote Desktop (mnmsrv) - Unknown owner - C:\WINDOWS\system32\mnmsrv.exe (file missing)
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

*Close all applications and browser windows before you click "fix checked".*

Close HJT.

Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
In the "Full Path of File to Delete" box, copy and paste the following lines.
*
C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00043.exe
C:\WINDOWS\Downloaded Program Files\rfh33w7\fgzr1.exe
C:\WINDOWS\system32\dcomcfg.exe 
C:\WINDOWS\system32\i
C:\WINDOWS\system32\spoolsvc.exe
C:\WINDOWS\system32\sysmon.exe
C:\WINDOWS\system32\wssec.exe
C:\countrydial.exe
C:\WINDOWS\system32\71145.exe
*

Click on the button that has the red circle with the X in the middle after you enter the file name. 
It will ask for confimation to delete the file. 
Click Yes. 
It will ask if you want to reboot now,
Click No.

*Note:* It is possible that Killbox will tell you that the file does not exist.

Exit the Killbox.

Empty this folder:
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\*Content.IE5*

Reboot to normal mode.

Post a new HJT log and let me know how things are going.


----------



## emmameyer (Apr 12, 2006)

Hello cybertech... I am not sure about how things are going... whenever I do what you say, apparently the pc runs smoothly for a while (though task manager still wouldn't work, and installations are not possible and even saving.txt files takes 3 or 4 attempts...)
but as soon as I connect malware are triggered back to life again and *Mb on MB are downloaded and uploaded *from my pc... needless to say, I have tried to install ZOne ALarm but it doesn't work at all... and the Firewall in my Net Connection cannot be activate (an alert pops up with the message Error 1060, that actually refers to something else, but still prevents the firewall to be activated...)

and small .exe files keep on being generated, after being deleted with Ewido, BFU, Killbox, cleanUp, or fixed with HJT...

and this bloody *e1xplorer* (sorry for cursing, but when it's needed it's needed...!) is still there and no way of getting rid of it, no way of using the right click on it, it doesn't appear to be in the applications in Control Panel, it doesn't appear in the list of the quick launch applications on the application bar... SGRUNT!!









here is the new HJT log:
please note that I have highlighted a couple of strings that "I don't like": do you know anything about them? I don't like their names, lol... don't like the fact that something can "quietly install" (*installquiet*), or "dumping a repair" (*dumprep*)...

thank you for your time and consideration...
Giulia

*HJT log*

Logfile of HijackThis v1.99.1
Scan saved at 11.53.29, on 19/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\winsqa.exe
C:\Programmi\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Microsoft SDKb] winsqa.exe
O4 - HKLM\..\RunServices: [Microsoft SDKb] winsqa.exe
O4 - HKCU\..\Run: [Microsoft SDKb] winsqa.exe
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Accesso pannello remoto (apanr) - Unknown owner - C:\WINDOWS\Downlo~1\rfh33w7\fgzr1.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NetMeeting Remote Desktop (mnmsrv) - Unknown owner - C:\WINDOWS\system32\mnmsrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)
O23 - Service: WsSec(wssec) (WsSec) - Unknown owner - C:\WINDOWS\system32\wssec.exe (file missing)


----------



## cybertech (Apr 16, 2002)

First off these entries are all fine.
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

This one is not malware or virus but is not needed:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

****************************************
Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

I would like you to turn off system restore but do not create a new restore point yet.
Click here to see how.

Once you have done that proceed with the remainder of the instructions.

In *safe mode* please complete the following:

*Run HJT again and put a check in the following:*

O4 - HKLM\..\Run: [Microsoft SDKb] winsqa.exe
O4 - HKLM\..\RunServices: [Microsoft SDKb] winsqa.exe
O4 - HKCU\..\Run: [Microsoft SDKb] winsqa.exe
O23 - Service: Accesso pannello remoto (apanr) - Unknown owner - C:\WINDOWS\Downlo~1\rfh33w7\fgzr1.exe (file missing)
O23 - Service: NetMeeting Remote Desktop (mnmsrv) - Unknown owner - C:\WINDOWS\system32\mnmsrv.exe (file missing)
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)
O23 - Service: WsSec(wssec) (WsSec) - Unknown owner - C:\WINDOWS\system32\wssec.exe (file missing)

*Close all applications and browser windows before you click "fix checked".*

Close HJT.

Double-click on Killbox.exe to run it. 
Put a tick by Delete on Reboot. 
In the "Full Path of File to Delete" box, copy and paste the following line:

*C:\WINDOWS\System32\winsqa.exe*

Click on the button that has the red circle with the X in the middle after you enter the file name. 
It will ask for confimation to delete the file. 
Click *Yes*. 
It will ask if you want to reboot now,
Click *No.*.

Close Killbox.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

Reboot to normal mode.

After your machine has rebooted, please run the KASPERSKY ON-LINE SCANNER again. It should not take as long but please *save the log *from the scan.

Go to the *WinPFind folder*
Locate *WinPFind.txt*
Post WinPFind.txt in your next post here please.
Post a new HijackThis log.
Post the Kaspersky scanner log.


----------



## emmameyer (Apr 12, 2006)

I'm going through with your instructions, just wanted you to know how much I appreciate your help - if the award for "tech guys" volunteering is (and I'm quoting) to feel warm inside, you must be scalded inside by the stream of my grateful thoughts!! 
keep you posted,
Giulia


----------



## cybertech (Apr 16, 2002)

You're welcome!


----------



## emmameyer (Apr 12, 2006)

Hi, here I am again...
with no good news...
everything seems to be as it was... do you think I should format everything?

By the way:First off these entries are all fine.
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
sorry about that, but as you might understand, I am getting a bit paranoid... today I wanted to virus-scan the postman, when he rang... lol

just a small question: after turning off the system restore you didn't tell me to turn it back on, so I didn't - is that fine?

Following please find the last logs anyway...

thank you for still having the patience of reading this...
G


----------



## emmameyer (Apr 12, 2006)

*WinPFind log*

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 19/04/2006 16.30.32 6394 C:\countrydial.exe
UPX! 19/04/2006 16.30.18 73216 C:\kl1.exe
FSG! 19/04/2006 16.31.08 1393 C:\tool5.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

Checking %System% folder...
UPX! 19/04/2006 16.08.08 8954 C:\WINDOWS\SYSTEM32\dcomcfg.exe
PEC2 10/09/2002 14.00.00 41144 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 10/09/2002 14.00.00 648704 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 19/04/2006 16.08.06 6394 C:\WINDOWS\SYSTEM32\spoolsvc.exe
UPX! 10/02/2006 11.43.44 287170 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 09/01/2006 10.36.04 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 09/01/2006 10.36.06 40960 C:\WINDOWS\SYSTEM32\swsc.exe
UPX! 19/04/2006 16.08.08 8954 C:\WINDOWS\SYSTEM32\sysmon.exe
winsync 10/09/2002 14.00.00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack 19/04/2006 10.44.50 238592 C:\WINDOWS\SYSTEM32\winsqa.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
19/04/2006 22.03.30 S 2048 C:\WINDOWS\bootstat.dat
19/04/2006 12.07.34 RHS 176640 C:\WINDOWS\system32\bitsec.exe
18/04/2006 1.42.46 H 35860 C:\WINDOWS\system32\vsconfig.xml
19/04/2006 22.03.22 H 8192 C:\WINDOWS\system32\config\DEFAULT.LOG
19/04/2006 22.03.50 H 1024 C:\WINDOWS\system32\config\SAM.LOG
19/04/2006 22.03.30 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
19/04/2006 22.13.24 H 114688 C:\WINDOWS\system32\config\SOFTWARE.LOG
19/04/2006 22.14.30 H 974848 C:\WINDOWS\system32\config\SYSTEM.LOG
19/04/2006 22.02.22 H 6 C:\WINDOWS\Tasks\SA.DAT
19/04/2006 9.47.00 HS 74635 C:\WINDOWS\Temp\$_2341233.TMP
19/04/2006 9.17.00 HS 8 C:\WINDOWS\Temp\$_2341235.TMP

Checking for CPL files...
Microsoft Corporation 10/09/2002 14.00.00 68096 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 10/09/2002 14.00.00 582144 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 10/09/2002 14.00.00 132096 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 10/09/2002 14.00.00 151040 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 10/09/2002 14.00.00 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 10/09/2002 14.00.00 124928 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 10/09/2002 14.00.00 66560 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 13.03.50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 10/09/2002 14.00.00 188928 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 10/09/2002 14.00.00 564736 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 10/09/2002 14.00.00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 10/09/2002 14.00.00 258048 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 10/09/2002 14.00.00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Kodak 19/10/2000 9.18.06 198656 C:\WINDOWS\SYSTEM32\PCConfig.cpl
Microsoft Corporation 10/09/2002 14.00.00 111616 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 24/10/2003 1.42.28 316416 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 10/09/2002 14.00.00 271360 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 10/09/2002 14.00.00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 10/09/2002 14.00.00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 05/09/2001 14.40.48 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 03/08/2004 14.59.04 168216 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 10/09/2002 14.00.00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 10/09/2002 14.00.00 582144 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 10/09/2002 14.00.00 132096 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 10/09/2002 14.00.00 151040 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 10/09/2002 14.00.00 293376 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 10/09/2002 14.00.00 124928 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 10/09/2002 14.00.00 66560 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 10/09/2002 14.00.00 188928 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 10/09/2002 14.00.00 564736 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 10/09/2002 14.00.00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 10/09/2002 14.00.00 258048 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 10/09/2002 14.00.00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 10/09/2002 14.00.00 111616 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 10/09/2002 14.00.00 151552 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 10/09/2002 14.00.00 271360 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 10/09/2002 14.00.00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 10/09/2002 14.00.00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
15/11/2005 11.00.24 1877 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk
03/12/2005 11.16.50 1741 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk
12/09/2004 14.10.54 HS 84 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/09/2004 15.06.10 HS 62 C:\Documents and Settings\All Users\Dati applicazioni\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
12/09/2004 14.10.54 HS 84 C:\Documents and Settings\io\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini
19/09/2003 11.22.16 1443 C:\Documents and Settings\io\Menu Avvio\Programmi\Esecuzione automatica\Manager HotSync.lnk
30/10/2005 19.40.40 962 C:\Documents and Settings\io\Menu Avvio\Programmi\Esecuzione automatica\Registration-InstantCopy.lnk

Checking files in %USERPROFILE%\Application Data folder...
03/12/2005 11.15.14 873 C:\Documents and Settings\io\Dati applicazioni\AdobeDLM.log
18/04/2006 19.51.28 13256 C:\Documents and Settings\io\Dati applicazioni\CleanUp!.log
12/09/2004 15.06.10 HS 62 C:\Documents and Settings\io\Dati applicazioni\desktop.ini
03/12/2005 11.15.14 0 C:\Documents and Settings\io\Dati applicazioni\dm.ini
19/09/2005 18.51.44 37203 C:\Documents and Settings\io\Dati applicazioni\Valori separati da virgola (DOS).ADR
26/02/2006 17.56.06 24454 C:\Documents and Settings\io\Dati applicazioni\Valori separati da virgola (Windows).ADR

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Picture Page Software Album
{248E7DC0-E03D-11D1-A9CB-00609793DD57} = C:\Programmi\Kodak\PicturePageSoftware\PExpMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Programmi\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Blocco menu Start = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Picture Page Software Album
{248E7DC0-E03D-11D1-A9CB-00609793DD57} = C:\Programmi\Kodak\PicturePageSoftware\PExpMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Programmi\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programmi\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
= 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Suggerimenti = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
ButtonText = @shdoclc.dll,-866	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Programmi\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
SearchBand = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo	: %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo	: %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = Co&llegamenti	: %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AGRSMMSG	AGRSMMSG.exe
NvCplDaemon	RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz	nwiz.exe /installquiet
ezShieldProtector for Px	C:\WINDOWS\System32\ezSP_Px.exe
StorageGuard	"C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
CloneDVDElbyDelay	"C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
VOBRegCheck	C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
PinnacleDriverCheck	C:\WINDOWS\System32\PSDrvCheck.exe
WinampAgent	"C:\Programmi\Winamp\Winampa.exe"
KernelFaultCheck	%systemroot%\system32\dumprep 0 -k
QuickTime Task	"C:\Programmi\QuickTime\qttask.exe" -atboottime
WireLessMouse	C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
SunJavaUpdateSched	C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
avgnt	"C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 19/04/2006 22.21.05


----------



## emmameyer (Apr 12, 2006)

*HJT log*

Logfile of HijackThis v1.99.1
Scan saved at 23.44.30, on 19/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\bitsec.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Palm\HOTSYNC.EXE
c:\countrydial.exe
C:\WINDOWS\System32\dcomcfg.exe
c:\Program Files\paytime.exe
c:\countrydial.exe
c:\Program Files\paytime.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [SysTray] c:\Program Files\paytime.exe
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Palm\HOTSYNC.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Programmi\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100337968843
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/activex/fa_os_mms/upload_1132.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6it.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A935783-5B5D-4380-A6AF-2FD17735F40D}: NameServer = 85.37.17.5 85.38.28.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A935783-5B5D-4380-A6AF-2FD17735F40D}: NameServer = 85.37.17.5 85.38.28.77
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Accesso pannello remoto (apanr) - Unknown owner - C:\WINDOWS\Downlo~1\rfh33w7\fgzr1.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NetMeeting Remote Desktop (mnmsrv) - Unknown owner - C:\WINDOWS\system32\mnmsrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)
O23 - Service: WsSec(wssec) (WsSec) - Unknown owner - C:\WINDOWS\system32\wssec.exe (file missing)


----------



## emmameyer (Apr 12, 2006)

*Kaspersky log*

KASPERSKY ON-LINE SCANNER REPORTKASPERSKY ON-LINE SCANNER REPORT 
Wednesday, April 19, 2006 11:35:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 
2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 19/04/2006
Kaspersky Anti-Virus database records: 177564

Scan Settings
Scan using the following antivirus databasestandard
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects98902
Number of viruses found12
Number of infected objects45
Number of suspicious objects0
Duration of the scan process00:52:29

Infected Object NameVirus NameLast Action
C:\!KillBox\countrydial.exe Infected: Packed.Win32.Tibs skipped

C:\!KillBox\dcomcfg.exe Infected: Packed.Win32.Tibs skipped

C:\!KillBox\fgzr1.exe Infected: Email-Worm.Win32.LovGate.ap skipped

C:\!KillBox\paytime.exe Infected: Trojan.Win32.StartPage.adi skipped

C:\!KillBox\spoolsvc.exe Infected: Packed.Win32.Tibs skipped

C:\!KillBox\sysmon.exe Infected: Packed.Win32.Tibs skipped

C:\!KillBox\winsqa.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\!KillBox\wssec.exe Infected: Backdoor.Win32.SdBot.apg skipped

C:\countrydial.exe Infected: Packed.Win32.Tibs skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\rfqtp[1].txt Infected: 
Trojan-Clicker.Win32.Small.kr skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\todlool[1].txt Infected: 
Trojan.Win32.StartPage.adi skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\z[1].jpg/stream/data0001 Infected: 
Trojan-Downloader.Win32.Harnig.bg skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\z[1].jpg/stream Infected: 
Trojan-Downloader.Win32.Harnig.bg skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\DTXSWC42\z[1].jpg NSIS: infected - 2 skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\lewl[1].exe/stream/data0001 Infected: 
Trojan-Downloader.Win32.Harnig.bg skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\lewl[1].exe/stream Infected: 
Trojan-Downloader.Win32.Harnig.bg skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\lewl[1].exe NSIS: infected - 2 skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\lkfhroxlam[1].htm Infected: 
Trojan.Win32.Harnig.k skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\lkfhroxlam[2].htm Infected: 
Trojan.Win32.Harnig.k skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\L4S1CQSL\todlool[1].txt Infected: 
Trojan.Win32.StartPage.adi skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\dytis[1].txt Infected: 
Trojan-PSW.Win32.Sinowal.i skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\nlgwfcz[1].txt Infected: 
Trojan.Win32.StartPage.adi skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\puzjtisyn[1].txt Infected: 
Trojan-Clicker.Win32.Small.kr skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\puzjtisyn[2].txt Infected: 
Trojan-Clicker.Win32.Small.kr skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\sk02[1].exe/data0002 Infected: 
Trojan-Clicker.Win32.Small.jf skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\sk02[1].exe NSIS: infected - 1 skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\wrmoeebyr[1].txt Infected: 
Packed.Win32.Tibs skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\R4YDL56F\wrmoeebyr[2].txt Infected: 
Packed.Win32.Tibs skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\X4WRYELJ\htbapqzjp[1].txt Infected: 
Trojan-PSW.Win32.Sinowal.d skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\X4WRYELJ\mhgvspmwyk[1].txt Infected: 
Packed.Win32.Tibs skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\X4WRYELJ\qygseikhki[1].htm Infected: 
Trojan.Win32.Harnig.k skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary 
Internet Files\Content.IE5\X4WRYELJ\qygseikhki[2].htm Infected: 
Trojan.Win32.Harnig.k skipped

C:\Program Files\paytime.exe Infected: Trojan.Win32.StartPage.adi skipped

C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00053.dll 
Infected: Trojan-PSW.Win32.Sinowal.b skipped

C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00053.exe 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00054.dll 
Infected: Trojan-PSW.Win32.Sinowal.i skipped

C:\Programmi\File comuni\Microsoft Shared\Web Folders\_ibm00045.exe 
Infected: Trojan-PSW.Win32.Sinowal.d skipped

C:\tool5.exe Infected: Trojan-Clicker.Win32.Small.kr skipped

C:\WINDOWS\system32\bitsec.exe Infected: Backdoor.Win32.SdBot.apg skipped

C:\WINDOWS\system32\dcomcfg.exe Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\system32\spoolsvc.exe Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\system32\sysmon.exe Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\Temp\adv.exe Infected: Trojan-Downloader.Win32.Harnig.bg 
skipped

C:\WINDOWS\Temp\apihelp.chm Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\Temp\apihelp2.chm Infected: Packed.Win32.Tibs skipped

Scan process completed.


----------



## cybertech (Apr 16, 2002)

emmameyer said:


> do you think I should format everything?


If you want my opinion, yes.

If you have a burner or other way to save your important data do that and format the drive.

Is that an option?


----------



## emmameyer (Apr 12, 2006)

Yes, I have a burner and bought already a good stock of dvds...    the problem is not in the data, right? is all in the system, isn't it? I might try to format only C:\, since I have all data on D:\... but I back up anyway.

the only reason I was struggling to avoid formatting is that I'm going to loose some important softwares, 'cause I had them installed during my former job and I don't have the CDs, they were office's property - though I will have to live with it, lol...

I'll let you know how the euthanasia of the pc will go, just for the record...
thanks for the time you've spent around this, I really appreciated it,
Giulia


----------



## emmameyer (Apr 12, 2006)

Hello cybertech, here I am again, just to tell you that I formatted my hard disk (only C: though) and everything seems to be fine (don't you see how shining and "clean" my typing is??  ).
I have a very last question for you, if you'll be so kind and patient to answer: having formatted only C:\, are there possibilities that something is hiding or nesting in D: ? I mean something mean... In a nutshell: can I safely shop online or is it better I format D: as well, to be on the safe side?
Thank you again for all your support, I appreciated it enormously!
Best,
Giulia


----------



## cybertech (Apr 16, 2002)

Glad to hear it!! :up:

I don't recall ever seeing anything reported on the D drive. 
What do you have there? 
Have you done a virus scan directly to that drive?


----------



## emmameyer (Apr 12, 2006)

yes, you are right, nothing was ever reported on D by any of the virus scan and nothing ever appeared on the system logs... 
I was just doubting because all the virus scan/cleaning hadn't been able to solve the problems I had, so I thought hey, maybe something can still be playing hide&seek somewhere...

On D drive I have only data (as far as I'm concerned... or better, as far as I'm able to understand... lol), and I had it scanned directly... Just wanted to be sure because I use to buy flight tickets online using my credit card number, so...

everything is working properly though, no problems with the connection, no suspicious traffic (and btw I could install Zone Alarm again & feel much safer, am I wrong??), all programs are prompt and obedient... I hope the nightmare has come to an end!

I really want to thank you again for your support, you really were of great help and I greatly appreciated your promptness in replies and patient attention... now I can go on with my shallow web designing with all my data safe!
best,
Giulia


----------



## cybertech (Apr 16, 2002)

After the attack you had I hope you have checked your bank accounts, credit cards, etc to be sure all transactions are yours.

Here are some links that you might find of value and ZA is noted as well as other firewalls.

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!!


----------



## emmameyer (Apr 12, 2006)

Hello Cybertech, still out there saving lost souls in the vast sea of malware?



cybertech said:


> After the attack you had I hope you have checked your bank accounts, credit cards, etc to be sure all transactions are yours.


Yes, I did check, but luckyly I have no home banking, the only on-line use I do of a credit card is to purchase books from Amazon and buy airplane tickets, but I never did any of these after I have been infected... thank you for your concern, though (it's always my boyfriend's credit card anyway, LOL LOL)



cybertech said:


> Here are some links that you might find of value
> Good free tools and advice on how to tighten your security settings.
> Security Help Tools


Thank you again for your help, I read through every link you've suggested and installed a few things (SpywareGuard, Spyware Blaster, FireFox as my new default browser...)

Everything seems to work fine *for the moment* (just trying to ward off some bad luck - italians are superstitious, you know!).
I don't know if I have thanked you enough, but you have all my gratitude for the help and especially the support you gave me.
So, I think we can "call it a thread", don't you?
Thank you again, and I wish you all the best in life and in your shared crusade (with all the TSG guys) against the evil and the dark side of the 01-world!!!
bye bye,
Giulia


----------

