Kenji87 Posted January 27, 2011 ID:380124 Share Posted January 27, 2011 Hi all, this problem started some days ago after clicking on a internet link (a reply in a forum).Windows media player opened himself and then my computer started to go slowly.After some time chrome was not working anymore, firefox and IE redirect me in some sites i never visited and the computer goes out of control (until i restart).If i don't start the internet connection, the computer run smooth.Now if i activate the internet connection i can't navigate, chrome and IE does not work, firefox say (this is a traduction from my error in italian lenguage): "Connection refused from the proxy server. Firefox is configured to use a proxy server that is refusing connections"So i can't use internet (now i'm using the pc at work)I've tried many antivirus and the last one (lavasoft ad-aware) deleted some files:"Quarantined items:Description: c:\docume~1\daniele\impost~1\temp\0.7835895404894659.exe Family Name: Win32.Trojan.FakeAV/D Engine: 1 Clean status: Success Item ID: 0 Family ID: 0Description: c:\docume~1\daniele\impost~1\temp\csrss.exe Family Name: Win32.Trojan.FakeAV/D Engine: 1 Clean status: Success Item ID: 0 Family ID: 0"And now every time i start Windows (i have Windows xp sp3) an error say that crss.exe is missing and he can't find it.I've tried to restore the system to a week ago, but nothing changed.Here is the log (already loaded on the site and all clean) of Hijackthis:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21.28.51, on 26/01/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Programmi\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exec:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exeC:\Programmi\Avira\AntiVir Desktop\sched.exeC:\Programmi\Avira\AntiVir Desktop\avguard.exeC:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exeC:\Programmi\Bonjour\mDNSResponder.exeC:\Programmi\Avira\AntiVir Desktop\avshadow.exeC:\Programmi\DCPFLICS\dcpflics.exeC:\Programmi\Google\Update\1.2.183.39\GoogleCrashHandler.exeC:\Programmi\Java\jre6\bin\jqs.exeC:\Programmi\CDBurnerXP\NMSAccessU.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\Programmi\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\RTHDCPL.EXEC:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exeC:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exeC:\Programmi\Lavasoft\Ad-Aware\AAWTray.exeC:\WINDOWS\system32\rundll32.exeC:\Programmi\AirPort\APAgent.exeC:\WINDOWS\System32\M-AudioTaskBarIcon.exeC:\Programmi\Java\jre6\bin\jusched.exeC:\Programmi\Logitech\SetPointP\SetPoint.exeC:\WINDOWS\system32\ctfmon.exeC:\Programmi\Messenger\msmsgs.exeC:\WINDOWS\system32\mapiicon.exeC:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Programmi\File comuni\LogiShrd\KHAL3\KHALMNPR.EXEC:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Programmi\Java\jre6\bin\jucheck.exeC:\DOCUME~1\Daniele\IMPOST~1\Temp\0.7835895404894659.exeC:\WINDOWS\system32\taskmgr.exeC:\Programmi\Trend Micro\HijackThis\HijackThis.exeC:\Documents and Settings\Daniele\Dati applicazioni\dwm.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:61758R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = CollegamentiO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ADSL_A2] A2InstalledO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe"O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam10\QuickCam10.exe" /hideO4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exeO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Programmi\AirPort\APAgent.exe"O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Programmi\File comuni\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"O4 - HKLM\..\Run: [switchBoard] C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exeO4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Programmi\File comuni\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [EvtMgr6] C:\Programmi\Logitech\SetPointP\SetPoint.exe /launchGamingO4 - HKLM\..\Run: [amd_dc_opt] C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exeO4 - HKLM\..\Run: [startCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [ATICustomerCare] "C:\Programmi\ATI\ATICustomerCare\ATICustomerCare.exe"O4 - HKLM\..\Run: [conhost] C:\Documents and Settings\Daniele\Dati applicazioni\Microsoft\conhost.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\182.50\is\PhysX_9.09.0203_SystemSoftware.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exeO9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exeO16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{EB2B7F6C-12BE-48A4-9DD8-705123D646E9}: NameServer = 213.205.36.70 213.205.32.70O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exeO23 - Service: DCPFLICS service (DCPFLICS) - Unknown owner - C:\Programmi\DCPFLICS\dcpflics.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Servizio di Google Update (gupdate1c9cf2766eee058) (gupdate1c9cf2766eee058) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\LogiShrd\Bluetooth\lbtserv.exeO23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exeO23 - Service: M-Audio ProKeysSono Installer (MAudioProKeysSonoService) - Unknown owner - C:\Programmi\M-Audio\ProKeysSono\MAUSBPSInst.exe (file missing)O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exeO23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe--End of file - 11018 bytes_______________________________________________Now Antivir Avira does not found anything, it only say that he can't analyze a file: gnu/123/123/123 etc... because of the longname.When i got the virus, avirsa said that he found the virus "TR/Crypt.ZPACK.GEN" and "TR/DLDR.mufanom.atsk.3" nerswamoxc.tmp , which i deleted.I've also used CCcleaner but nothing is changed.I don't know what to do, thank youDaniele Link to post Share on other sites More sharing options...
LDTate Posted January 27, 2011 ID:380164 Share Posted January 27, 2011 Please don't attach the scans / logs, use "copy/paste".DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.Vista and Windows 7 users:1. These tools MUST be run from the executable. (.exe) every time you run them 2. With Admin Rights (Right click, choose "Run as Administrator")Stay with this topic until I give you the all clean post.You might want to print these instructions out.I suggest you do this:Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.Save in: DesktopFile Name: fixme.regSave as Type: All filesClick: SaveREGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyServer"=-On the desktop, doubleclick fix.reg and allow it to run. Let it mergeNext:I've been seeing some Java infections lately.Go here and follow the instructions to clear your Java Cachehttp://www.java.com/en/download/help/plugin_cache.xmlNext:Please download ATF Cleaner by Atribune.Download - ATF Cleaner Link to post Share on other sites More sharing options...
Kenji87 Posted January 28, 2011 Author ID:380629 Share Posted January 28, 2011 Hi, thank you for your reply.I've followed exactly your instructions but the virus is still there, it seems that there is some file that continue to generate it.When i run MalwareByte, it finds a virus which i delete; the computer seems to run smooth while i'm not online and the antivirus find nothing.When i connect to the internet, it work only a few minutes and this things happen:Internet explorer does not work or crash.Chrome give blank page with cannot load problemIn Firefox happen something strange: if i leave the standard settings it does not work, and in Tools -> Options -> Advanced -> Network -> Connections -> settings i have "use the proxy of the system" (traduction from italian) and it does not work; but IF I set it on "No proxy" or "auto-detect proxy settings for this network" the browser works for a few minutes, then it start to go crazy, i can't deactivate the connection, the computer goes slow, i have no control of it and i must reboot.After that i find a new virus...Here the logs, i'm not attaching it like you asked:The last MalwareBytes log, run from administrator in windows xp provisory mod:Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5623Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 8.0.6001.1870228/01/2011 3.31.44mbam-log-2011-01-28 (03-31-44).txtScan type: Full scan (C:\|)Objects scanned: 483634Time elapsed: 2 hour(s), 33 minute(s), 38 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\programmi\mozilla firefox\test.exe (Trojan.Downloader) -> Quarantined and deleted successfully.c:\system volume information\_restore{73b9b787-50d3-4cf4-b158-25e90160905d}\RP596\A0161960.exe (Trojan.Downloader) -> Quarantined and deleted successfully.c:\system volume information\_restore{73b9b787-50d3-4cf4-b158-25e90160905d}\RP596\A0161961.exe (Trojan.Downloader) -> Quarantined and deleted successfully._______________________________________________________The last hijackthislog after deleting the virus in the standard mode of windows in my account:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7.00.48, on 28/01/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Programmi\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exec:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exeC:\Programmi\Avira\AntiVir Desktop\sched.exeC:\Programmi\Avira\AntiVir Desktop\avguard.exeC:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exeC:\Programmi\Bonjour\mDNSResponder.exeC:\Programmi\Avira\AntiVir Desktop\avshadow.exeC:\Programmi\DCPFLICS\dcpflics.exeC:\Programmi\Google\Update\1.2.183.39\GoogleCrashHandler.exeC:\Programmi\Java\jre6\bin\jqs.exeC:\Programmi\CDBurnerXP\NMSAccessU.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\WINDOWS\Explorer.EXEC:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Programmi\Avira\AntiVir Desktop\avgnt.exeC:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\WINDOWS\RTHDCPL.EXEC:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exeC:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exeC:\Programmi\Lavasoft\Ad-Aware\AAWTray.exeC:\WINDOWS\system32\rundll32.exeC:\Programmi\AirPort\APAgent.exeC:\Programmi\Java\jre6\bin\jusched.exeC:\Programmi\Logitech\SetPointP\SetPoint.exeC:\WINDOWS\system32\ctfmon.exeC:\Programmi\Messenger\msmsgs.exeC:\WINDOWS\system32\mapiicon.exeC:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wscntfy.exeC:\Programmi\File comuni\LogiShrd\KHAL3\KHALMNPR.EXEC:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Programmi\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = CollegamentiO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ADSL_A2] A2InstalledO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe"O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam10\QuickCam10.exe" /hideO4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exeO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Programmi\AirPort\APAgent.exe"O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Programmi\File comuni\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"O4 - HKLM\..\Run: [switchBoard] C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exeO4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Programmi\File comuni\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [EvtMgr6] C:\Programmi\Logitech\SetPointP\SetPoint.exe /launchGamingO4 - HKLM\..\Run: [amd_dc_opt] C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exeO4 - HKLM\..\Run: [startCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [ATICustomerCare] "C:\Programmi\ATI\ATICustomerCare\ATICustomerCare.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [{33F866F4-0E91-4EAB-55BF-3464463241F4}] "C:\Documents and Settings\Daniele\Dati applicazioni\Agkiab\ovad.exe"O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\182.50\is\PhysX_9.09.0203_SystemSoftware.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - .DEFAULT User Startup: elyfa.exe (User 'Default user')O4 - .DEFAULT User Startup: esofy.exe (User 'Default user')O4 - .DEFAULT User Startup: ilogn.exe (User 'Default user')O4 - .DEFAULT User Startup: luukeh.exe (User 'Default user')O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exeO9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exeO16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exeO23 - Service: DCPFLICS service (DCPFLICS) - Unknown owner - C:\Programmi\DCPFLICS\dcpflics.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Servizio di Google Update (gupdate1c9cf2766eee058) (gupdate1c9cf2766eee058) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\LogiShrd\Bluetooth\lbtserv.exeO23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exeO23 - Service: M-Audio ProKeysSono Installer (MAudioProKeysSonoService) - Unknown owner - C:\Programmi\M-Audio\ProKeysSono\MAUSBPSInst.exe (file missing)O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exeO23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe--End of file - 11001 bytes______________________________________________________________________The last piece of the log of Ad-Aware which found another trojan.******************************** Scan results: *********************************Scan profile name: Scansione intelligente (ID: smart)Objects scanned: 71767Objects detected: 4Type Detected==========================Processes.......: 0Registry entries: 0Hostfile entries: 0Files...........: 1Folders.........: 0LSPs............: 0Cookies.........: 3Browser hijacks.: 0MRU objects.....: 0Removed items:Description: c:\documents and settings\daniele\dati applicazioni\ogud\ybol.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 556bd90ca6145741f85be521fa593c27Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0__________________________________________________________Every time i run the internet, the virus return and the antivirus find a new .exe with different name and in a different location than the previous virus.If i can't find a method to resolve this problem, i think i will save the important files and format the computer, i need to use the internet in the weekend Thank you again and sorry for my english Link to post Share on other sites More sharing options...
LDTate Posted January 28, 2011 ID:380670 Share Posted January 28, 2011 Vista and Windows 7 users:1. These tools MUST be run from the executable. (.exe) every time you run them 2. With Admin Rights (Right click, choose "Run as Administrator")Stay with this topic until I give you the all clean post.You might want to print these instructions out.I suggest you do this:Download ComboFix from one of these locations:Link 1Link 2 If using this link, Right Click and select Save As.* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective ProgramsDouble click on ComboFix.exe & follow the prompts.Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7. Note: If you have SP3, use the SP2 package.If Vista or Windows 7, skip the Recovery Console partAs part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.Notes:1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.Give it atleast 20-30 minutes to finish if needed.Please do not attach the scan results from Combofx. Use copy/paste.Also please describe how your computer behaves at the moment. Link to post Share on other sites More sharing options...
LDTate Posted January 31, 2011 ID:382150 Share Posted January 31, 2011 Do you still need help with this? Link to post Share on other sites More sharing options...
LDTate Posted February 1, 2011 ID:382795 Share Posted February 1, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts