Help - Search - Members - Calendar
Full Version: Aiuto!!!!
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Wise Man
Jul 8 2006, 08:19 PM
Da qualche giorno sono infetto da mille spyware o che sia...
Ho usato un sacco diprogrammi per eliminarli e almeno adesso riesco a utilizare decentemente il pc.
Ma non vedo più lo sfondo del desktop.
Prima mi era uscita una schermata rossa con al centro la scritta "Danger".
Dopo vari tentativi di ripulirmi riesco a usare il pc e ho mandato via la scheramta ma non vedo più il mio sfondo.
Ho una schermata bianca con le mie icone del desktop.
Vedo il mio sfondo solo quando si spegne il computer...
Aiuto!!!!


CODE
Google translation is not the best, but at least I can get the idea: lpp

From some day they are I infect from thousands to spyware or that it is…  I have used a bag diprogrammi in order to eliminate them and at least now I succeed in utilizare the PC decent.  But I do not see more the background of the desktop.  Before me it was exited one shielded red with to the center the written “Danger”.  After several tried to you to clean up to me I succeed to use the PC and have sent via the scheramta but I do not see more my background.  I have one shielded white woman with mine icone of the desktop.  I see my background single when the computer is extinguished…  Aid!!!!






Logfile of HijackThis v1.99.1
Scan saved at 22.16.21, on 08/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\FlyNet\CnxDslTb.exe
C:\Programmi\Trust\3010A WIRELESS DESKSET\Keyboard\kbdap32a.EXE
C:\Programmi\Trust\3010A WIRELESS DESKSET\Mouse\mouse32a.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\SPYWAREfighter\spfprc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alberto\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Omnipage] C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\FlyNet\CnxDslTb.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Programmi\Trust\3010A WIRELESS DESKSET\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programmi\Trust\3010A WIRELESS DESKSET\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [spywarefighterguard] C:\Programmi\SPYWAREfighter\spfprc.exe
O4 - HKLM\..\Run: [dmokz.exe] C:\WINDOWS\System32\dmokz.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C6BEBA53-1F7E-4A0A-B738-61FBB49E0B06} (VPDefaultX Control) - http://videopostaumail.alice.it/resources/VPDefault.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
LoPhatPhuud
Jul 8 2006, 08:59 PM
SpywareQuake and SpyFalcon belong to the Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and are a goad to have you buy the commercial version of this software. This version is slightly different than the previous variants (SpywareStrike, SpyAxe,etc.) in that the alerts do not look like Windows Security alerts but are rather a square that appears from your taskbar. An example of this alert is below:


Other Smitfraud variants include:
Security IGuard
Virtual Maid
Search Maid
AntiVirusGold
PSGuard
RazeSpyware
SpyAxe
SpySheriff
SpywareStrike
WinHound

SpywareQuake/SpyFalcon/Smitfraud Removal

Note: These instructions are only for Windows 2000, XP Home, XP Pro, & 2003.

The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

3. Windows 2000/XP/2003 (includes Ewido)
Download, install, and update Ewido AntiMalware (get the free trial version)
http://www.ewido.net/en/download/

a. Install Ewido AntiMalware

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

c. The program will prompt you to update click the OK button

d. The program will now go to the main screen

e. On the left hand side of the main screen click on Update

f. Click on Start. The update will start and a progress bar will show the updates being installed.

g. Do not scan yet. We'll do that later in SAFE MODE


4. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


5. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

6. Reboot into Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

7. Once in safe mode, start Ewido AntiMalware

a. Click on scanner

b. Click on *complete system scan*

c. Let the program scan the machine.

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.
Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

Click OK.


When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
........................
For Win98/ME users, please scan with Adaware (full system scan) and let it remove any infected files found.

8. Exit the program and reboot back to normal mode.

9. Get a free online AV scan at Panda's ActiveScan
Let it remove any infected files found, and when it finishes save the log at the end to post back here. Y

Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)

10. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier and the Panda report. We will also need the log from Smitrem: The tool will create a log named rapport/txte in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Ewido Scan report

Panda ActiveScan report

Fresh HijackThis log
Wise Man
Jul 9 2006, 10:04 AM
Non ci ho capito molto...forse ho copiato qualcosa due volte....AIUTO!!!!!




SmitFraudFix v2.68b

Scan done at 10.53.55,23, 09/07/2006
Run from C:\Documents and Settings\Alberto\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End








SmitFraudFix v2.68b

Scan done at 10.53.20,10, 09/07/2006
Run from C:\Documents and Settings\Alberto\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alberto\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Alberto\PREFER~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programmi


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\desktop.html"
"SubscribedURL"="C:\\WINDOWS\\desktop.html"
"FriendlyName"="Security"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End







---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11.15.57 09/07/2006

+ Scan result:



C:\Documents and Settings\Alberto\Impostazioni locali\Temp\NoadwareBkupTemp\alberto@as-eu.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Alberto\Cookies\alberto@ilead.itrack[1].txt -> TrackingCookie.Itrack : No action taken.


::Report end







Incidente Stato Percorso

Virus:Trj/Ruins.MB Disinfettato Sistema Operativo
Adware:Adware/SBSoft Non Disinfettato C:\WINDOWS\System32\{32A07F18-9621-49DF-9C7B-EC95F6239378}.dll
Adware:adware/ideskbar Non Disinfettato c:\windows\system32\drivers\zpmodemnt.sys
Strumenti indesiderati:application/unspypc Non Disinfettato c:\windows\system32\filesafer23.exe
Adware:adware/winprotect Non Disinfettato c:\windows\help\SPAlert.chm
Adware:adware/cws Non Disinfettato c:\documents and settings\all users\preferiti\Download Free Spyware Remover.url
Adware:adware/sbsoft Non Disinfettato c:\windows\rdt.ini
Adware:adware/fastlook Non Disinfettato Registro di sistema di Windows
Adware:Adware/SBSoft Non Disinfettato C:\Documents and Settings\Alberto\Desktop\hijackthis\backups\backup-20051217-193713-252.dll
Adware:Adware/SBSoft Non Disinfettato C:\Documents and Settings\Alberto\Desktop\hijackthis\backups\backup-20060108-173544-222.dll
Adware:Adware/SBSoft Non Disinfettato C:\Documents and Settings\Alberto\Desktop\hijackthis\backups\backup-20060703-195515-700.dll
Adware:Adware/SBSoft Non Disinfettato C:\Documents and Settings\Alberto\Desktop\hijackthis\backups\backup-20060707-202015-823.dll
Spyware:Cookie/YieldManager Non Disinfettato C:\Documents and Settings\Alberto\Impostazioni locali\Temp\Cookies\alberto@ad.yieldmanager[1].txt
Adware:Adware/SBSoft Non Disinfettato C:\Documents and Settings\Alberto\Impostazioni locali\Temp\NoadwareBkupTemp\{32A07F18-9621-49DF-9C7B-EC95F6239378}.dll
Virus:Trj/Ruins.MB Disinfettato C:\WINDOWS\system32\cswkx.exe
Virus:Trj/DNSChanger.ED Disinfettato C:\WINDOWS\system32\hgqhp.exe
Strumenti indesiderati:Application/Kill&Clean Non Disinfettato C:\WINDOWS\system32\kilacln.exe[KillAndCleanUpdate.exe]
Adware:Adware/SBSoft Non Disinfettato C:\WINDOWS\system32\pcmbz.dll
Adware:Adware/SBSoft Non Disinfettato C:\WINDOWS\system32\ubbjm.dll
Virus:Trj/Downloader.IQM Disinfettato C:\WINDOWS\system32\xp.au
Virus:Trj/DNSChanger.ED Disinfettato C:\WINDOWS\system32\yaemu.exe
Adware:Adware/QuickWeb Non Disinfettato C:\WINDOWS\system32\{41E49959-FD78-4E04-9184-EC5B6D1D637B}.exe
Adware:Adware/CWS Non Disinfettato C:\WINDOWS\system32\{7AE2B211-F5C2-4015-A625-7C339DD1C88B}.exe
Adware:Adware/SBSoft Non Disinfettato C:\WINDOWS\system32\{A0635248-C8A1-4FE5-90D0-9C2D20BE06B6}.dll
Strumenti indesiderati:Application/Kill&Clean Non Disinfettato C:\WINDOWS\system32\{A0C9C064-8ABF-45AE-A368-C31A6C0BD1FA}.exe[KillAndClean.exe]
Strumenti indesiderati:Application/Kill&Clean Non Disinfettato C:\WINDOWS\system32\{A0C9C064-8ABF-45AE-A368-C31A6C0BD1FA}.exe[KillAndCleanUpdate.exe]
Adware:Adware/RazeSpyware Non Disinfettato C:\WINDOWS\system32\{A6011CE1-5E01-4B73-B88C-16A9C7A701FA}.exe
Adware:Adware/CWS Non Disinfettato C:\WINDOWS\system32\{A78854CE-B66C-4C3E-918F-64663A2E6506}.exe
Virus:W32/Drefir.E.worm Non Disinfettato D:\Emule-download\Fiorello e Baldini - Viva Radio 2 2006(1).rar[f4CjVcQ.exe]






Incident Status Location

Adware:adware/ideskbar Not disinfected c:\windows\system32\drivers\zpmodemnt.sys
Adware:adware/cws Not disinfected c:\documents and settings\all users\preferiti\Download Free Spyware Remover.url
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Alberto\Cookies\alberto@ilead.itrack[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Alberto\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Alberto\Impostazioni locali\Temp\NoadwareBkupTemp\alberto@as-eu.falkag[1].txt
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\kilacln.exe[KillAndCleanUpdate.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{47F5BDE7-6F6A-489C-BC97-2A203AAB608E}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{47F5BDE7-6F6A-489C-BC97-2A203AAB608E}.exe[KillAndCleanUpdate.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{78E9940E-F935-4BB9-B37A-EFD5BBBE9A21}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{78E9940E-F935-4BB9-B37A-EFD5BBBE9A21}.exe[KillAndCleanUpdate.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{A0C9C064-8ABF-45AE-A368-C31A6C0BD1FA}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{A0C9C064-8ABF-45AE-A368-C31A6C0BD1FA}.exe[KillAndCleanUpdate.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{EFC9068A-2ADA-4BE3-A9BD-1BD336FF98E6}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{EFC9068A-2ADA-4BE3-A9BD-1BD336FF98E6}.exe[KillAndCleanUpdate.exe]






Logfile of HijackThis v1.99.1
Scan saved at 11.46.11, on 09/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\FlyNet\CnxDslTb.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Trust\3010A WIRELESS DESKSET\Keyboard\kbdap32a.EXE
C:\Programmi\Trust\3010A WIRELESS DESKSET\Mouse\mouse32a.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\SPYWAREfighter\spfprc.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Alberto\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Omnipage] C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\FlyNet\CnxDslTb.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Programmi\Trust\3010A WIRELESS DESKSET\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programmi\Trust\3010A WIRELESS DESKSET\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [spywarefighterguard] C:\Programmi\SPYWAREfighter\spfprc.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C6BEBA53-1F7E-4A0A-B738-61FBB49E0B06} (VPDefaultX Control) - http://videopostaumail.alice.it/resources/VPDefault.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E80D19D-5E74-4A5F-8B5E-D2A22C8928FF}: NameServer = 85.255.114.94 85.255.112.132
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
LoPhatPhuud
Jul 9 2006, 10:28 PM
Nothing shows in y our log, but the Panda scan shows a lot od different infections so I am going to have you run two disinfectors to be sure they are removed.


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.