Help me...24 night passed trying to solve..

Discussion in 'adware, spyware & hijack cleaning' started by ragehard1972, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    Hi,
    i try to resolve my spyware/hijack prob for at least 24 night...i give up..
    Please could someone help me?

    here is my Hijack this report:

    StartupList report, 05/06/2004, 0.53.51
    StartupList version: 1.52
    Started from : C:\hijackthis\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmi\Roxio\GoBack\GBPoll.exe
    C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\system32\GSICON.EXE
    C:\WINNT\system32\dslagent.exe
    C:\WINNT\tppaldr.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Programmi\Roxio\GoBack\GBTray.exe
    C:\Programmi\MightyFax NT\MFNTCTL.EXE
    C:\Programmi\WinZip\WZQKPICK.EXE
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica]
    Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    GoBack.lnk = C:\Programmi\Roxio\GoBack\GBTray.exe
    Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    MightyFAX Controller.lnk = C:\Programmi\MightyFax NT\MFNTCTL.EXE
    WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ccApp = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
    SymTray - Norton SystemWorks = C:\Programmi\File comuni\Symantec Shared\Symtray.exe SetReg
    Share-to-Web Namespace Daemon = C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    Synchronization Manager = mobsync.exe /logon
    nForce Tray Options = sstray.exe /r
    DownloadAccelerator = C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    GSICONEXE = GSICON.EXE
    DSLAGENTEXE = dslagent.exe USB
    NeroFilterCheck = C:\WINNT\system32\NeroCheck.exe
    PCLEPCI = C:\PROGRA~1\Pinnacle\PPE\ppe.exe
    TPP Auto Loader = C:\WINNT\tppaldr.exe
    EPSON Stylus C84 Series = C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
    PinnacleDriverCheck = C:\WINNT\system32\PSDrvCheck.exe -CheckReg
    Ad-aware = "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    SymTray - Norton SystemWorks =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    WallPaper = C:\DOCUME~1\Daniela\DOCUME~1\WALLCH~1.90\WALLPA~1.EXE /h

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\setup50.exe" /APP:OE /CALLER:IE50 /user /install

    [{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
    StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present
    C:\WINNT\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - prova.job
    Norton AntiVirus - Scan my computer.job
    OEB_New Backup Job(2).job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [MetaStreamCtl Class]
    InProcServer32 = C:\Programmi\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
    CODEBASE = https://components.viewpoint.com/MT....04.03&http://www.tagheuer.com/watches/3d.lbl

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Cult3D ActiveX Player]
    InProcServer32 = C:\WINNT\system32\Cult3D\IECult.dll
    CODEBASE = http://www.cult3d.com/download/cult.cab

    [iNotes6 Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\inotes6.dll
    CODEBASE = http://notes6.capecod.it/iNotes6.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINNT\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINNT\system32\opuc.dll
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc/opuc.cab

    [WSDownloader Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\WSDOWN~1.OCX
    CODEBASE = http://www.webshots.com/samplers/WSDownloader.ocx

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.4192361111

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\OUTC.DLL
    CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Ambiente supporto di rete AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
    Avvisi: %SystemRoot%\System32\services.exe (autostart)
    Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
    ATI Smart: C:\WINNT\system32\ati2sgag.exe (autostart)
    Browser di computer: %SystemRoot%\System32\services.exe (autostart)
    Symantec Event Manager: "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe" (autostart)
    Client DHCP: %SystemRoot%\System32\services.exe (autostart)
    Gestione disco logico: %SystemRoot%\System32\services.exe (autostart)
    Client DNS: %SystemRoot%\System32\services.exe (autostart)
    ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
    Registro eventi: %SystemRoot%\system32\services.exe (autostart)
    D-Link DSL-200 USB ADSL Loader: system32\DRIVERS\gafwload.sys (autostart)
    GBPoll: C:\Programmi\Roxio\GoBack\GBPoll.exe (autostart)
    Server: %SystemRoot%\System32\services.exe (autostart)
    Workstation: %SystemRoot%\System32\services.exe (autostart)
    Servizio guida TCP/IP NetBIOS: %SystemRoot%\System32\services.exe (autostart)
    Messenger: %SystemRoot%\System32\services.exe (autostart)
    Norton AntiVirus Auto Protect Service: "C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe" (autostart)
    FireDaemon Service: NNTP: C:\winnt\system32\export\FireDaemon.EXE (autostart)
    Norton Unerase Protection: "C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" (autostart)
    Gestione archivi rimovibili: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Agente criteri IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
    Archiviazione protetta: %SystemRoot%\system32\services.exe (autostart)
    Servizio Registro di sistema remoto: %SystemRoot%\system32\regsvc.exe (autostart)
    RPC (Remote Procedure Call): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Gestione protezione account: %SystemRoot%\system32\lsass.exe (autostart)
    SAVRTPEL: \??\C:\WINNT\System32\Drivers\SAVRTPEL.SYS (autostart)
    ScriptBlocking Service: C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Utilità di pianificazione: %SystemRoot%\system32\MSTask.exe (autostart)
    Servizio RunAs: %SystemRoot%\system32\services.exe (autostart)
    Notifica eventi di sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Speed Disk service: C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (autostart)
    Spooler di stampa: %SystemRoot%\system32\spoolsv.exe (autostart)
    Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
    SYMTDI: \??\C:\WINNT\System32\Drivers\SYMTDI.SYS (autostart)
    Tmfilter: System32\drivers\Tmfilter.sys (autostart)
    Trend NT Realtime Service: "C:\Programmi\Trend Micro\PC-cillin 2000\Tmntsrv.exe" (autostart)
    Manutenzione collegamenti distribuiti client: %SystemRoot%\system32\services.exe (autostart)
    Vsapint: System32\drivers\Vsapint.sys (autostart)
    SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
    Strumentazione gestione Windows: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
    WMDM PMSP Service: C:\WINNT\System32\mspmspsv.exe (autostart)
    Ambiente di supporto del provider del Servizio Non-IFS di Windows Socket 2.0: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
    Aggiornamenti automatici: %systemroot%\system32\svchost.exe -k wugroup (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\system32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 13.518 bytes
    Report generated in 0,060 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Thank you

    Christian from Imola, Italy (Ferrari rules!) :oops:
     
  2. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    Forget! Help me...24 night passed trying to solve..

    i don't post the hijack this log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 1.08.15, on 05/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmi\Roxio\GoBack\GBPoll.exe
    C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\system32\GSICON.EXE
    C:\WINNT\system32\dslagent.exe
    C:\WINNT\tppaldr.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Programmi\Roxio\GoBack\GBTray.exe
    C:\Programmi\MightyFax NT\MFNTCTL.EXE
    C:\Programmi\WinZip\WZQKPICK.EXE
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iol.it
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = libero.it;iol.it
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [WallPaper] C:\DOCUME~1\Daniela\DOCUME~1\WALLCH~1.90\WALLPA~1.EXE /h
    O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
    O4 - HKCU\..\Run: [SpySweeper] C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: GoBack.lnk = C:\Programmi\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: MightyFAX Controller.lnk = C:\Programmi\MightyFax NT\MFNTCTL.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Crea preferiti portatile (HKLM)
    O9 - Extra 'Tools' menuitem: Crea preferiti portatile... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT....04.03&http://www.tagheuer.com/watches/3d.lbl
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://notes6.capecod.it/iNotes6.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.4192361111
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{00747D3C-5A67-40D3-A7CB-CFADBDFF1457}: NameServer = 193.70.192.25 193.70.152.25
    O17 - HKLM\System\CS1\Services\Tcpip\..\{00747D3C-5A67-40D3-A7CB-CFADBDFF1457}: NameServer = 193.70.192.25 193.70.152.25

    :'( :doubt: :blink: o_O
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi ragehard1972,

    Can you tell us what the problem is exactly?

    Regards,

    Pieter
     
  4. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    Yes,

    even if i run ad-aware/spywareblaster/spysweeper etc etc, they perform the scan, remove some spyware then at next startup i find some spyware again (vx2 betterinternet, zestyfind, and allaboutsearch too) it seems like some spyware component rest hidden somwhere....

    I try to clean up with w2k in safety mode but the situation still remain the same

    Thank u for interest

    Bye

    Christian :p
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Ah, Zestyfind :mad:

    Download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe

    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Regards,

    Pieter
     
  6. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called: GuardianKZZHH
    Asynchronous 000
    DllName C:\WINNT\system32\1a94camera.cpy.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {36689B83-93AB-4980-8365-F9DE9A8D01E1}
    IDex CS2

    User Agent String---
    {36689B83-93AB-4980-8365-F9DE9A8D01E1}



    here it is....... :oops:
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Stay off the net until all files are deleted (second reboot)

    Open VX2Finder it and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit enter and Navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianKZZHH

    (Note : the five letters in caps at the end may have changed [KZZHH] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here with a fresh HijackThis log please.

    Regards,

    Pieter
     
  8. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    Hi,
    i do exactly what u say but things are a little different....

    VX2 finder doesnt ask me to delete on reboot....it finds 2 dll files, it kill them, i kill the register, the agent then i restore the policy....next reboot...still find a .dlll

    i post you last log:

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINNT\system32\1a94camera.cpy.dll


    Guardian Key--- is called: GuardianZSDJF
    Asynchronous 000
    DllName C:\WINNT\system32\1a94camera.cpy.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {36689B83-93AB-4980-8365-F9DE9A8D01E1}
    IDex CS2

    User Agent String---
    {36689B83-93AB-4980-8365-F9DE9A8D01E1}


    Logfile of HijackThis v1.97.7
    Scan saved at 23.12.31, on 08/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmi\Roxio\GoBack\GBPoll.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\system32\GSICON.EXE
    C:\WINNT\system32\dslagent.exe
    C:\WINNT\tppaldr.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\Programmi\Real\RealPlayer\RealPlay.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Programmi\Roxio\GoBack\GBTray.exe
    C:\Programmi\MightyFax NT\MFNTCTL.EXE
    C:\Programmi\WinZip\WZQKPICK.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iol.it
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = libero.it;iol.it
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVPCC] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
    O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [WallPaper] C:\DOCUME~1\Daniela\DOCUME~1\WALLCH~1.90\WALLPA~1.EXE /h
    O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
    O4 - HKCU\..\Run: [SpySweeper] C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: GoBack.lnk = C:\Programmi\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: MightyFAX Controller.lnk = C:\Programmi\MightyFax NT\MFNTCTL.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Crea preferiti portatile (HKLM)
    O9 - Extra 'Tools' menuitem: Crea preferiti portatile... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT....04.03&http://www.tagheuer.com/watches/3d.lbl
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://notes6.capecod.it/iNotes6.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.4192361111
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab


    Now i'm workin with zone alarm and i can navigate ...but i still have the beast inside my pc :'(


    Regards, Christian *puppy*
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Christian,

    Surf to http://download.broadbandmedic.com/ and download The Killbox.
    Click Fix L2M > Kill VX2.betterinternet

    Then paste this part in the dialog window
    C:\WINNT\system32\1a94camera.cpy.dll
    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filenameand path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    Then use VX2Finder to take care of the rest.

    NOTE: It is very important to be offline during all this.

    Regards,

    Pieter
     
  10. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    :eek: :eek: :eek:

    it is no more possible to download killbox from the Broadband medic site....

    now?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  12. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
  13. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    OK,

    killed.....but

    I installed Kaspersky antivirus and it detected this 2 item :

    C:\WINNT\necessary3.exe/data0001 Contaminato Trojan.BAT.Passer.a
    C:\WINNT\necessary3.exe Eliminazione virus non riuscita Trojan.BAT.Passer.a
    C:\WINNT\setup2.exe/data0024 Contaminato Backdoor.Iroffer.1216
    C:\WINNT\setup2.exe Eliminazione virus non riuscita Backdoor.Iroffer.1216

    What does it meano_Oo_O

    here my new Hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 23.11.24, on 15/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmi\Roxio\GoBack\GBPoll.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\system32\GSICON.EXE
    C:\WINNT\system32\dslagent.exe
    C:\WINNT\tppaldr.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Programmi\Real\RealPlayer\RealPlay.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Programmi\Roxio\GoBack\GBTray.exe
    C:\Programmi\MightyFax NT\MFNTCTL.EXE
    C:\Programmi\WinZip\WZQKPICK.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iol.it
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.iol.it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iol.it
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = libero.it;iol.it
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AVPCC] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
    O4 - HKCU\..\Run: [WallPaper] C:\DOCUME~1\Daniela\DOCUME~1\WALLCH~1.90\WALLPA~1.EXE /h
    O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
    O4 - HKCU\..\Run: [SpySweeper] C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: GoBack.lnk = C:\Programmi\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: MightyFAX Controller.lnk = C:\Programmi\MightyFax NT\MFNTCTL.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Crea preferiti portatile (HKLM)
    O9 - Extra 'Tools' menuitem: Crea preferiti portatile... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT....04.03&http://www.tagheuer.com/watches/3d.lbl
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://notes6.capecod.it/iNotes6.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.4192361111
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{00747D3C-5A67-40D3-A7CB-CFADBDFF1457}: NameServer = 193.70.192.25 193.70.152.25
    O17 - HKLM\System\CS1\Services\Tcpip\..\{00747D3C-5A67-40D3-A7CB-CFADBDFF1457}: NameServer = 193.70.192.25 193.70.152.25


    Thanks
    Christian o_O
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My italian is not as good as I would like it to be, but "Eliminazione" sounds to me like it was taken care off.

    Your log is clean by the way.

    Please read: Why did I get infected in the first place

    Regards,

    Pieter
     
  15. ragehard1972

    ragehard1972 Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    9
    Not exactly, the statement stand for "it wasn't possible to eliminate these 2 files...."

    What kind of pest/trojan/spyware are the?

    Bye

    Christian :ninja:
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.