Kenji87
-
Posts
2 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Kenji87
-
-
Hi all, this problem started some days ago after clicking on a internet link (a reply in a forum).
Windows media player opened himself and then my computer started to go slowly.
After some time chrome was not working anymore, firefox and IE redirect me in some sites i never visited and the computer goes out of control (until i restart).
If i don't start the internet connection, the computer run smooth.
Now if i activate the internet connection i can't navigate, chrome and IE does not work, firefox say (this is a traduction from my error in italian lenguage):
"Connection refused from the proxy server. Firefox is configured to use a proxy server that is refusing connections"
So i can't use internet (now i'm using the pc at work)
I've tried many antivirus and the last one (lavasoft ad-aware) deleted some files:
"
Quarantined items:
Description: c:\docume~1\daniele\impost~1\temp\0.7835895404894659.exe Family Name: Win32.Trojan.FakeAV/D Engine: 1 Clean status: Success Item ID: 0 Family ID: 0
Description: c:\docume~1\daniele\impost~1\temp\csrss.exe Family Name: Win32.Trojan.FakeAV/D Engine: 1 Clean status: Success Item ID: 0 Family ID: 0
"
And now every time i start Windows (i have Windows xp sp3) an error say that crss.exe is missing and he can't find it.
I've tried to restore the system to a week ago, but nothing changed.
Here is the log (already loaded on the site and all clean) of Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.28.51, on 26/01/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\Programmi\DCPFLICS\dcpflics.exe
C:\Programmi\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe
C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\AirPort\APAgent.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\mapiicon.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\File comuni\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\Java\jre6\bin\jucheck.exe
C:\DOCUME~1\Daniele\IMPOST~1\Temp\0.7835895404894659.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Daniele\Dati applicazioni\dwm.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:61758
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Programmi\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Programmi\File comuni\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [switchBoard] C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Programmi\File comuni\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [EvtMgr6] C:\Programmi\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [amd_dc_opt] C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [startCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programmi\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [conhost] C:\Documents and Settings\Daniele\Dati applicazioni\Microsoft\conhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\182.50\is\PhysX_9.09.0203_SystemSoftware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB2B7F6C-12BE-48A4-9DD8-705123D646E9}: NameServer = 213.205.36.70 213.205.32.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: DCPFLICS service (DCPFLICS) - Unknown owner - C:\Programmi\DCPFLICS\dcpflics.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9cf2766eee058) (gupdate1c9cf2766eee058) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: M-Audio ProKeysSono Installer (MAudioProKeysSonoService) - Unknown owner - C:\Programmi\M-Audio\ProKeysSono\MAUSBPSInst.exe (file missing)
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 11018 bytes
_______________________________________________
Now Antivir Avira does not found anything, it only say that he can't analyze a file: gnu/123/123/123 etc... because of the longname.
When i got the virus, avirsa said that he found the virus "TR/Crypt.ZPACK.GEN" and "TR/DLDR.mufanom.atsk.3" nerswamoxc.tmp , which i deleted.
I've also used CCcleaner but nothing is changed.
I don't know what to do, thank you
Daniele
Infected with various problems
in Resolved Malware Removal Logs
Posted
Hi, thank you for your reply.
I've followed exactly your instructions but the virus is still there, it seems that there is some file that continue to generate it.
When i run MalwareByte, it finds a virus which i delete; the computer seems to run smooth while i'm not online and the antivirus find nothing.
When i connect to the internet, it work only a few minutes and this things happen:
Internet explorer does not work or crash.
Chrome give blank page with cannot load problem
In Firefox happen something strange: if i leave the standard settings it does not work, and in Tools -> Options -> Advanced -> Network -> Connections -> settings i have "use the proxy of the system" (traduction from italian) and it does not work; but IF I set it on "No proxy" or "auto-detect proxy settings for this network" the browser works for a few minutes, then it start to go crazy, i can't deactivate the connection, the computer goes slow, i have no control of it and i must reboot.
After that i find a new virus...
Here the logs, i'm not attaching it like you asked:
The last MalwareBytes log, run from administrator in windows xp provisory mod:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5623
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
28/01/2011 3.31.44
mbam-log-2011-01-28 (03-31-44).txt
Scan type: Full scan (C:\|)
Objects scanned: 483634
Time elapsed: 2 hour(s), 33 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\programmi\mozilla firefox\test.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{73b9b787-50d3-4cf4-b158-25e90160905d}\RP596\A0161960.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{73b9b787-50d3-4cf4-b158-25e90160905d}\RP596\A0161961.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
_______________________________________________________
The last hijackthislog after deleting the virus in the standard mode of windows in my account:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7.00.48, on 28/01/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\Programmi\DCPFLICS\dcpflics.exe
C:\Programmi\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe
C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\AirPort\APAgent.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\mapiicon.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\File comuni\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Programmi\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Programmi\File comuni\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [switchBoard] C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Programmi\File comuni\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [EvtMgr6] C:\Programmi\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [amd_dc_opt] C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [startCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programmi\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [{33F866F4-0E91-4EAB-55BF-3464463241F4}] "C:\Documents and Settings\Daniele\Dati applicazioni\Agkiab\ovad.exe"
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\182.50\is\PhysX_9.09.0203_SystemSoftware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: elyfa.exe (User 'Default user')
O4 - .DEFAULT User Startup: esofy.exe (User 'Default user')
O4 - .DEFAULT User Startup: ilogn.exe (User 'Default user')
O4 - .DEFAULT User Startup: luukeh.exe (User 'Default user')
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: DCPFLICS service (DCPFLICS) - Unknown owner - C:\Programmi\DCPFLICS\dcpflics.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9cf2766eee058) (gupdate1c9cf2766eee058) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: M-Audio ProKeysSono Installer (MAudioProKeysSonoService) - Unknown owner - C:\Programmi\M-Audio\ProKeysSono\MAUSBPSInst.exe (file missing)
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 11001 bytes
______________________________________________________________________
The last piece of the log of Ad-Aware which found another trojan.
******************************** Scan results: *********************************
Scan profile name: Scansione intelligente (ID: smart)
Objects scanned: 71767
Objects detected: 4
Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 3
Browser hijacks.: 0
MRU objects.....: 0
Removed items:
Description: c:\documents and settings\daniele\dati applicazioni\ogud\ybol.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 556bd90ca6145741f85be521fa593c27
Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
__________________________________________________________
Every time i run the internet, the virus return and the antivirus find a new .exe with different name and in a different location than the previous virus.
If i can't find a method to resolve this problem, i think i will save the important files and format the computer, i need to use the internet in the weekend
Thank you again and sorry for my english