Jump to content


Photo
- - - - -

Trojan BHO.H removal please!!!


  • This topic is locked This topic is locked
20 replies to this topic

#1 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 24 February 2009 - 04:51 AM

I have preformed the quick scan saved log file and rebooted. Preformed the quick scan again and the same result. I have also installed & ran the Hijack this. Below are my log files. Please help!!

Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

24/02/2009 10.39.02
mbam-log-2009-02-24 (10-39-02).txt

Scan type: Quick Scan
Objects scanned: 65943
Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lhfsq.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\mzoieeto.dat (Rootkit.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.39.34, on 24/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Cobian Backup 9\Cobian.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Cobian Backup 9\cbInterface.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe
C:\Programmi\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cy...mallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.cattex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7B073803-CFDF-4390-9D9B-078036B5E4D4} - C:\WINDOWS\system32\lhfsq.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programmi\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=030709 serial=DR12WUX-0606061-ZVY lang=IT
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cobian Backup 9] "C:\Programmi\Cobian Backup 9\Cobian.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Orbit.lnk = C:\Programmi\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with Rapget - C:\Programmi\RAPidshareGET\RapGet\rapget.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9}: NameServer = 151.99.125.2,151.99.125.3
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c98872a1038402) (gupdate1c98872a1038402) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

--
End of file - 8549 bytes

#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 24 February 2009 - 03:16 PM

RootRepeal - Rootkit Detector

  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#3 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 25 February 2009 - 02:57 AM

One thing, sorry I am responding soo late, but I live and work in Rome Italy. It is my work computer that is having the problem, but I can only get to it between the hours of 8:00 a.m. to around 6:00 p.m. I don't know where you are so I can't calculate time difference. I am able to stay longer if I know that you will be there to help, so let me know when you get this message where you are and between what times so I can try to be here at the same time.

O.k. I downloaded RootRepeal. I followed your instructions but when I start the scan, my screen turns black. When robooting I shut down my antivirus and Malwarebytes but scanning again sends me to a black screen again. The only way of getting out is rebooting from my "on" button.

I hope this isn't serious.

Thanks by the way for helping.

#4 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 25 February 2009 - 04:06 AM

The rootkit is probably blocking it.

Please see if you can run this one instead. As for time, it really doesn't matter. Basically move forward on tasks and post as you have them and when available I will respond. Thanks.


Please download the following scanning tool. GMER

  • Open the zip file and copy the file gmer.exe to your Desktop.
  • Double click on gmer.exe and run it.
  • It may take a minute to load and become available.
  • Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
  • Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
  • Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
  • DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
  • Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#5 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 25 February 2009 - 04:49 AM

It doesn't seem like much but here it is.

Attached Files

  • Attached File  gmer.zip   521bytes   18 downloads


#6 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 25 February 2009 - 05:43 AM

Okay please run the following.


Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#7 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 25 February 2009 - 07:47 AM

ComboFix 09-02-24.02 - Administrator 2009-02-25 13.33.00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2047.1558 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Creato nuovo punto di ripristino
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\resycled
E:\resycled

.
((((((((((((((((((((((((( Files Creati Da 2009-01-25 al 2009-02-25 )))))))))))))))))))))))))))))))))))
.

2009-03-02 09:00 . 2009-03-02 09:00 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-03-02 09:00 . 2009-03-02 09:00 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-03-02 09:00 . 2009-03-02 09:00 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-03-02 09:00 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 09:00 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 08:38 . 2009-03-02 08:47 <DIR> d-------- c:\programmi\Eset
2009-03-02 08:38 . 2009-03-02 08:38 512,096 --a------ c:\windows\system32\drivers\amon.sys
2009-03-02 08:38 . 2009-03-02 08:38 298,104 --a------ c:\windows\system32\imon.dll
2009-03-02 08:38 . 2009-03-02 08:38 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2009-02-25 13:22 . 2009-02-25 13:22 <DIR> d-------- c:\windows\LastGood
2009-02-25 10:48 . 2009-02-25 10:48 521 --a------ C:\gmer.zip
2009-02-25 10:18 . 2009-02-25 11:01 250 --a------ c:\windows\gmer.ini
2009-02-25 08:36 . 2008-12-20 18:00 446,464 --a------ C:\RootRepeal.exe
2009-02-25 08:36 . 2009-02-25 08:36 0 --a------ C:\settings.dat
2009-02-24 10:39 . 2009-02-24 10:39 <DIR> d-------- c:\programmi\Trend Micro
2009-02-19 10:42 . 2009-02-19 10:42 <DIR> d-------- c:\programmi\Windows Media Connect 2
2009-02-19 10:41 . 2009-02-19 10:41 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-06 16:46 . 2009-02-11 13:23 <DIR> d-------- c:\programmi\Google
2009-02-06 16:46 . 2009-02-25 11:21 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Google Updater
2009-02-05 13:57 . 2009-02-05 13:57 320 --------- c:\windows\barcode.ini
2009-02-05 13:07 . 2009-02-05 13:23 <DIR> d-------- C:\easy
2009-02-05 12:40 . 2009-02-05 12:40 <DIR> d-------- c:\programmi\Seagate Software
2009-02-05 12:39 . 2009-02-05 12:39 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-02-05 12:39 . 1999-03-02 08:13 521,632 --------- c:\windows\system32\MAPI.DLL
2009-02-05 09:48 . 2009-02-05 09:48 49,152 --------- c:\windows\DBNAMES.CFG
2009-02-05 09:47 . 2009-02-05 12:45 298 --------- c:\windows\bti.ini
2009-02-05 09:40 . 2009-02-05 09:49 <DIR> d-------- C:\PVSW
2009-02-05 09:40 . 2009-02-05 09:40 <DIR> d-------- c:\programmi\File comuni\Pervasive Software Shared
2009-02-05 09:40 . 1998-10-29 15:45 306,688 --------- c:\windows\IsUninst.exe
2009-02-05 09:40 . 2002-07-20 19:36 251,016 --------- c:\windows\system32\keyhelp.ocx
2009-02-05 09:40 . 2002-06-30 18:40 19,456 --------- c:\windows\keyhh.exe
2009-02-05 09:36 . 2009-02-05 09:36 544,816 --------- c:\windows\system32\pscl.dll
2009-02-05 09:36 . 2009-02-05 09:36 254,002 --------- c:\windows\system32\pscore.dll
2009-02-05 09:36 . 2009-02-05 09:36 146,976 --------- c:\windows\system32\mfcoleui.dll
2009-02-05 09:36 . 2009-02-05 09:36 43,760 --------- c:\windows\system32\nwlocale.dll
2009-02-05 09:34 . 2009-02-05 09:34 <DIR> d-------- c:\programmi\TeamViewer
2009-02-05 09:34 . 2009-02-05 09:34 <DIR> d-------- c:\documents and settings\Administrator\temp
2009-02-05 09:34 . 2009-02-05 09:34 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\TeamViewer
2009-02-02 18:33 . 2009-02-02 18:35 <DIR> d-------- c:\programmi\Yahoo!
2009-02-02 18:05 . 2009-02-02 18:05 <DIR> d-------- c:\programmi\AVG
2009-01-27 08:54 . 2009-01-27 08:54 102 --------- c:\windows\system32\UserRequest_1233042841.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 12:25 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Orbit
2009-02-05 11:40 --------- d-----w c:\programmi\File comuni\InstallShield
2009-02-02 17:34 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Yahoo!
2009-01-27 13:42 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Apple Computer
2009-01-24 14:16 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\GrabPro
2009-01-23 19:09 --------- d-----w c:\programmi\Agere
2009-01-23 18:56 --------- d-----w c:\programmi\Intel
2009-01-23 18:45 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage
2009-01-23 12:28 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\vlc
2009-01-23 10:18 --------- d-----w c:\programmi\HP
2009-01-23 10:18 --------- d-----w c:\programmi\Hewlett-Packard
2009-01-23 10:18 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Hewlett-Packard
2009-01-23 10:16 --------- d-----w c:\programmi\File comuni\HP
2009-01-23 10:16 --------- d-----w c:\programmi\File comuni\Hewlett-Packard
2009-01-22 17:50 --------- d-----w c:\programmi\MSXML 4.0
2009-01-22 17:29 --------- d-----w c:\programmi\iTunes
2009-01-22 17:29 --------- d-----w c:\programmi\iPod
2009-01-22 17:29 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 17:28 --------- d-----w c:\programmi\QuickTime
2009-01-22 17:28 --------- d-----w c:\programmi\File comuni\Apple
2009-01-22 17:28 --------- d-----w c:\programmi\Bonjour
2009-01-22 17:28 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-01-22 17:27 --------- d-----w c:\programmi\Apple Software Update
2009-01-22 17:27 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Apple
2009-01-22 14:27 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Yahoo! Companion
2009-01-22 14:27 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Yahoo!
2009-01-22 12:44 --------- d-----w c:\programmi\VideoLAN
2009-01-22 12:43 --------- d-----w c:\programmi\RAPidshareGET
2009-01-22 11:57 --------- d-----w c:\programmi\File comuni\Adobe
2009-01-22 08:03 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-01-21 09:22 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Corel
2009-01-21 09:20 --------- d-----w c:\programmi\File comuni\Corel
2009-01-21 09:19 --------- d-----w c:\programmi\Corel
2009-01-21 09:08 --------- d-----w c:\programmi\Microsoft Works
2009-01-20 21:50 --------- d-----w c:\programmi\Cobian Backup 9
2009-01-20 21:36 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Ahead
2009-01-20 21:18 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Ahead
2009-01-20 21:17 --------- d-----w c:\programmi\File comuni\Ahead
2009-01-20 21:16 --------- d-----w c:\programmi\Nero
2009-01-20 21:16 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Nero
2009-01-20 20:53 118,528 ----a-w c:\windows\system32\lhfsq.dll
2009-01-20 20:52 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\sentinel
2009-01-20 20:48 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Backup
2009-01-20 20:37 --------- d-----w c:\programmi\Realtek
2009-01-20 20:37 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\InstallShield
2009-01-20 19:57 --------- d-----w c:\programmi\microsoft frontpage
2009-01-20 19:56 --------- d-----w c:\programmi\Servizi in linea
2008-12-20 22:31 826,368 ------w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B073803-CFDF-4390-9D9B-078036B5E4D4}]
2009-01-20 21:53 118528 --a------ c:\windows\system32\lhfsq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"Cobian Backup 9"="c:\programmi\Cobian Backup 9\Cobian.exe" [2008-09-21 579584]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Messenger (Yahoo!)"="c:\programmi\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"CorelDRAW Graphics Suite 11b"="c:\programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe" [2003-11-28 733184]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\programmi\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2009-03-02 949376]
"Malwarebytes' Anti-Malware"="c:\programmi\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]
"SoundMan"="SOUNDMAN.EXE" [2006-04-01 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\Bin\w3dbsmgr.exe [2003-10-29 106546]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-14 53248]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-14 241664]
Orbit.lnk - c:\programmi\Orbitdownloader\orbitdm.exe [2009-01-23 1711304]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Orbitdownloader\\orbitnet.exe"=
"c:\\PVSW\\Bin\\w3dbsmgr.exe"=

R0 gbookehd;gbookehd;c:\windows\system32\drivers\gbookehd.sys [2001-08-31 23424]
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2009-01-20 110128]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2009-01-20 17328]
R0 WDMCAPI;ISDN PCI CAPI;c:\windows\system32\drivers\WDMCAPI.sys [2009-01-23 774045]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-03-02 15424]
R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-02 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-02 15504]
R3 WDMWANMP;NDIS WAN miniport;c:\windows\system32\drivers\wdmwanmp.sys [2009-01-23 28800]
S2 gupdate1c98872a1038402;Google Update Service (gupdate1c98872a1038402);c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{402afc05-eb9b-11dd-a5c5-487444737531}]
\Shell\AutoRun\command - .\run\autorun.exe
\Shell\open\Command - .\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7a0766-e851-11dd-a5ba-000c765029c1}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com i:
\Shell\Open\command - resycled\boot.com i:
.
Contenuto della cartella 'Scheduled Tasks'

2009-02-25 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 16:46]

2009-02-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 16:50]

2009-02-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Administrator.job
- c:\programmi\Malwarebytes' Anti-Malware\mbam.exe [2009-02-11 10:19]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Notify-avldr - (no file)


.
------- Scansione supplementare -------
.
uStart Page = hxxp://store.cattex.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/202
IE: Download with Rapget - c:\programmi\RAPidshareGET\RapGet\rapget.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9} = 151.99.125.2,151.99.125.3
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\gvxcxtgt.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://store.cattex.com
FF - plugin: c:\programmi\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 13:35:38
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\imon.dll
.
Ora fine scansione: 2009-02-25 13.38.36
ComboFix-quarantined-files.txt 2009-02-25 12:37:25

Pre-Run: 140.845.502.464 byte disponibili
Post-Run: 145,406,226,432 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

227 --- E O F --- 2009-02-27 15:32:34


Malwarebytes' Anti-Malware 1.34
Database version: 1801
Windows 5.1.2600 Service Pack 3

25/02/2009 13.44.35
mbam-log-2009-02-25 (13-44-28).txt

Scan type: Quick Scan
Objects scanned: 61623
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lhfsq.dll (Trojan.BHO.H) -> No action taken.
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\mzoieeto.dat (Rootkit.Agent) -> No action taken.

#8 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 25 February 2009 - 03:37 PM

Please run the following tool


Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr


Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the following logs in your next reply:
DDS.txt
Attach.txt

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#9 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 26 February 2009 - 02:15 AM

The program asked my to ZIP the "ATTACH" file but it won't let me attach it, so I just copied it below. Good morning by the way.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 8.08.44,20 on 26/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1598 [GMT 1:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programmi\Google\Update\GoogleUpdate.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Cobian Backup 9\Cobian.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Cobian Backup 9\cbInterface.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://store.cattex.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\programmi\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7b073803-cfdf-4390-9d9b-078036b5e4d4} - c:\windows\system32\lhfsq.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\programmi\orbitdownloader\GrabPro.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programmi\file comuni\ahead\lib\NMBgMonitor.exe"
uRun: [Cobian Backup 9] "c:\programmi\cobian backup 9\Cobian.exe"
uRun: [MSMSGS] "c:\programmi\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\programmi\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\programmi\file comuni\ahead\lib\NeroCheck.exe
mRun: [CorelDRAW Graphics Suite 11b] c:\programmi\corel\corel graphics 12\languages\it\programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=030709 serial=DR12WUX-0606061-ZVY lang=IT
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\programmi\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\programmi\hp\hpcoretech\hpcmpmgr.exe"
mRun: [nod32kui] "c:\programmi\eset\nod32kui.exe" /WAITSERVICE
mRun: [Malwarebytes' Anti-Malware] "c:\programmi\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\menuav~1\progra~1\esecuz~1\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avvior~1.lnk - c:\programmi\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpdigi~1.lnk - c:\programmi\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\orbit.lnk - c:\programmi\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/202
IE: Download with Rapget - c:\programmi\rapidshareget\rapget\rapget.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
TCP: {4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9} = 151.99.125.2,151.99.125.3
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\programmi\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datiap~1\mozilla\firefox\profiles\gvxcxtgt.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://store.cattex.com
FF - plugin: c:\programmi\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\programmi\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 gbookehd;gbookehd;c:\windows\system32\drivers\gbookehd.sys [2001-8-31 23424]
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2009-1-20 110128]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2009-1-20 17328]
R0 WDMCAPI;ISDN PCI CAPI;c:\windows\system32\drivers\WDMCAPI.sys [2009-1-23 774045]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-3-2 15424]
R2 MBAMService;MBAMService;c:\programmi\malwarebytes' anti-malware\mbamservice.exe [2009-3-2 179856]
R2 NOD32krn;NOD32 Kernel Service;c:\programmi\eset\nod32krn.exe [2009-3-2 552064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-3-2 15504]
R3 WDMWANMP;NDIS WAN miniport;c:\windows\system32\drivers\wdmwanmp.sys [2009-1-23 28800]
S2 gupdate1c98872a1038402;Google Update Service (gupdate1c98872a1038402);c:\programmi\google\update\GoogleUpdate.exe [2009-2-6 133104]

=============== Created Last 30 ================

2009-02-25 13:32 <DIR> a-dshr-- C:\cmdcons
2009-02-25 13:29 161,792 a------- c:\windows\SWREG.exe
2009-02-25 13:29 98,816 a------- c:\windows\sed.exe
2009-02-25 10:48 521 a------- C:\gmer.zip
2009-02-25 10:18 250 a------- c:\windows\gmer.ini
2009-02-25 08:36 0 a------- C:\settings.dat
2009-02-25 08:36 446,464 a------- C:\RootRepeal.exe
2009-02-24 10:39 <DIR> --d----- c:\programmi\Trend Micro
2009-02-19 10:42 <DIR> --d----- c:\programmi\Windows Media Connect 2
2009-02-05 13:57 320 -------- c:\windows\barcode.ini
2009-02-05 13:07 <DIR> --d----- C:\easy
2009-02-05 12:40 <DIR> --d----- c:\programmi\Seagate Software
2009-02-05 12:39 521,632 -------- c:\windows\system32\MAPI.DLL
2009-02-05 12:39 <DIR> --d----- c:\documents and settings\administrator\WINDOWS
2009-02-05 09:48 49,152 -------- c:\windows\DBNAMES.CFG
2009-02-05 09:47 298 -------- c:\windows\bti.ini
2009-02-05 09:40 <DIR> --d----- c:\programmi\file comuni\Pervasive Software Shared
2009-02-05 09:40 251,016 -------- c:\windows\system32\keyhelp.ocx
2009-02-05 09:40 19,456 -------- c:\windows\keyhh.exe
2009-02-05 09:40 306,688 -------- c:\windows\IsUninst.exe
2009-02-05 09:40 <DIR> --d----- C:\PVSW
2009-02-05 09:36 544,816 -------- c:\windows\system32\pscl.dll
2009-02-05 09:36 254,002 -------- c:\windows\system32\pscore.dll
2009-02-05 09:36 146,976 -------- c:\windows\system32\mfcoleui.dll
2009-02-05 09:36 43,760 -------- c:\windows\system32\nwlocale.dll
2009-02-05 09:34 <DIR> --d----- c:\docume~1\admini~1\datiap~1\TeamViewer
2009-02-05 09:34 <DIR> --d----- c:\programmi\TeamViewer
2009-02-05 09:34 <DIR> --d----- c:\documents and settings\administrator\temp
2009-02-02 18:33 <DIR> --d----- c:\programmi\Yahoo!
2009-02-02 18:05 <DIR> --d----- c:\programmi\AVG
2009-01-27 08:54 102 -------- c:\windows\system32\UserRequest_1233042841.tmp

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-23 11:19 85,264 -------- c:\windows\hpgins01.dat
2009-01-21 17:09 86,327 -------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-20 21:53 118,528 a------- c:\windows\system32\lhfsq.dll
2009-01-20 20:54 21,840 -------- c:\windows\system32\emptyregdb.dat
2008-12-20 23:31 826,368 -------- c:\windows\system32\wininet.dll

============= FINISH: 8.09.02,29 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20/01/2009 20.59.37
System Uptime: 26/02/2009 7.57.14 (1 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel® Pentium® 4 CPU 2.60GHz | Socket 478 | 2600/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 134,745 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 59,667 GiB free.
E: is FIXED (NTFS) - 56 GiB total, 42,009 GiB free.
G: is CDROM (CDFS)
H: is CDROM ()
Y: is NetworkDisk (NTFS) - 98 GiB total, 80,434 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP8: 20/01/2009 22.29.10 - Punto di arresto del sistema
RP9: 21/01/2009 10.06.30 - Installed Microsoft Office Word 2007
RP10: 21/01/2009 10.12.41 - Installed Microsoft Office Excel 2007
RP11: 21/01/2009 10.19.44 - CorelDRAW Graphics Suite 12 installato
RP12: 22/01/2009 12.21.16 - Punto di arresto del sistema
RP13: 22/01/2009 13.43.22 - Installed RapGet
RP14: 22/01/2009 15.43.23 - Software Distribution Service 3.0
RP15: 22/01/2009 18.28.55 - iTunes installato
RP16: 22/01/2009 18.49.20 - Software Distribution Service 3.0
RP17: 23/01/2009 7.53.13 - Software Distribution Service 3.0
RP18: 23/01/2009 11.59.52 - Software Distribution Service 3.0
RP19: 23/01/2009 20.09.29 - Installed Agere Ethernet Adapter
RP20: 23/01/2009 20.23.49 - Aggiorna a driver privo di firma digitale
RP21: 24/01/2009 17.01.09 - Software Distribution Service 3.0
RP22: 26/01/2009 8.31.07 - Software Distribution Service 3.0
RP23: 27/01/2009 12.34.13 - Punto di arresto del sistema
RP24: 27/01/2009 15.41.58 - Rimosso Panda Internet Security 2008
RP25: 27/09/2001 16.51.23 - Installed Panda Internet Security 2008
RP26: 28/09/2001 17.45.01 - Punto di arresto del sistema
RP27: 30/01/2009 12.29.51 - Punto di arresto del sistema
RP28: 02/02/2009 12.17.39 - Punto di arresto del sistema
RP29: 02/02/2009 17.55.35 - Removed Panda Internet Security 2008
RP30: 02/02/2009 18.05.29 - Installed AVG 8.0
RP31: 03/02/2009 9.45.49 - Avg8 Update
RP32: 03/02/2009 9.58.57 - Avg8 Update
RP33: 04/02/2009 12.17.49 - Punto di arresto del sistema
RP34: 05/02/2009 9.47.04 - Installed Pervasive.SQL V8 Workgroup (v8.5)
RP35: 05/02/2009 12.40.45 - Microsoft Visual C++ 2005 Redistributable installato
RP36: 06/02/2009 12.55.18 - Punto di arresto del sistema
RP37: 08/02/2009 12.26.02 - Punto di arresto del sistema
RP38: 09/02/2009 12.35.58 - Punto di arresto del sistema
RP39: 10/02/2009 8.46.55 - Avg8 Update
RP40: 11/02/2009 11.05.56 - Software Distribution Service 3.0
RP41: 12/02/2009 12.19.25 - Punto di arresto del sistema
RP42: 13/02/2009 11.41.38 - Avg8 Update
RP43: 14/02/2009 15.49.01 - Punto di arresto del sistema
RP44: 16/02/2009 12.25.01 - Punto di arresto del sistema
RP45: 17/02/2009 13.04.08 - Punto di arresto del sistema
RP46: 19/02/2009 10.32.41 - Installed Windows Media Player 11
RP47: 19/02/2009 10.40.32 - Software Distribution Service 3.0
RP48: 19/02/2009 12.33.28 - Software Distribution Service 3.0
RP49: 20/02/2009 11.25.18 - Removed AVG 8.0
RP50: 20/02/2009 11.26.16 - Installed AVG 8.0
RP51: 27/09/2001 12.02.49 - Installed Panda Internet Security 2008
RP52: 27/09/2001 13.01.34 - Removed Panda Internet Security 2008
RP53: 27/09/2001 13.15.48 - Installed AVG 8.0
RP54: 27/09/2001 13.36.55 - Avg8 Update
RP55: 27/09/2001 13.51.36 - Avg8 Update
RP56: 27/02/2009 16.32.13 - Software Distribution Service 3.0
RP57: 02/03/2009 8.34.21 - Removed AVG 8.0
RP58: 02/03/2009 8.34.59 - Installed AVG 8.0
RP59: 23/02/2009 10.04.44 - Punto di arresto del sistema
RP60: 24/02/2009 12.21.10 - Punto di arresto del sistema
RP61: 25/02/2009 13.30.02 - ComboFix created restore point
RP62: 25/02/2009 17.28.19 - Software Distribution Service 3.0

==== Installed Programs ======================

[esatto 2004] (Moduli a 32 Bit)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Agere Ethernet Adapter
Aggiornamento della protezione per Windows Internet Explorer 7 (KB938127-v2)
Aggiornamento della protezione per Windows Internet Explorer 7 (KB956390)
Aggiornamento della protezione per Windows Internet Explorer 7 (KB958215)
Aggiornamento della protezione per Windows Internet Explorer 7 (KB960714)
Aggiornamento della protezione per Windows Internet Explorer 7 (KB961260)
Aggiornamento della protezione per Windows Media Player (KB952069)
Aggiornamento della protezione per Windows Media Player 11 (KB936782)
Aggiornamento della protezione per Windows Media Player 11 (KB954154)
Aggiornamento della protezione per Windows XP (KB923689)
Aggiornamento della protezione per Windows XP (KB938464)
Aggiornamento della protezione per Windows XP (KB941569)
Aggiornamento della protezione per Windows XP (KB946648)
Aggiornamento della protezione per Windows XP (KB950762)
Aggiornamento della protezione per Windows XP (KB950974)
Aggiornamento della protezione per Windows XP (KB951066)
Aggiornamento della protezione per Windows XP (KB951376-v2)
Aggiornamento della protezione per Windows XP (KB951698)
Aggiornamento della protezione per Windows XP (KB951748)
Aggiornamento della protezione per Windows XP (KB952954)
Aggiornamento della protezione per Windows XP (KB954211)
Aggiornamento della protezione per Windows XP (KB954459)
Aggiornamento della protezione per Windows XP (KB954600)
Aggiornamento della protezione per Windows XP (KB955069)
Aggiornamento della protezione per Windows XP (KB956391)
Aggiornamento della protezione per Windows XP (KB956802)
Aggiornamento della protezione per Windows XP (KB956803)
Aggiornamento della protezione per Windows XP (KB956841)
Aggiornamento della protezione per Windows XP (KB957097)
Aggiornamento della protezione per Windows XP (KB958215)
Aggiornamento della protezione per Windows XP (KB958644)
Aggiornamento della protezione per Windows XP (KB958687)
Aggiornamento della protezione per Windows XP (KB960714)
Aggiornamento della protezione per Windows XP (KB960715)
Aggiornamento per Windows XP (KB898461)
Aggiornamento per Windows XP (KB951978)
Aggiornamento per Windows XP (KB955839)
Aggiornamento per Windows XP (KB967715)
Aggiornamento rapido per Windows Media Player 11 (KB939683)
Aggiornamento rapido per Windows XP (KB952287)
Apple Mobile Device Support
Apple Software Update
Bonjour
Cobian Backup 9
Copy
CorelDRAW Graphics Suite 12
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
Google Chrome
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
HP Diagnostic Assistant
HP Image Zone 4.0
HP Scanjet 4600
HP Software Update
hpg4600
HPSystemDiagnostics
InstantShare
iTunes
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Italian Language Pack
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel 2007
Microsoft Office Excel MUI (Italian) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (Italian) 2007
Microsoft Office Shared MUI (Italian) 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (Italian) 2007
Microsoft Software Update for Web Folders (Italian) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.6)
MSXML 4.0 SP2 (KB954430)
MyIdentityDefender Toolbar (CyberDefender Corporation)
Nero 7 Ultra Edition
neroxml
NOD32 antivirus system
NOD32 FiX v2.1
Orbit Downloader
Overland
Panda Internet Security 2009
Pervasive System Analyzer
Pervasive.SQL V8 Workgroup (v8.5)
PhotoGallery
PrintScreen
QFolder
QuickProjects
QuickTime
RapGet
REALTEK GbE & FE Ethernet PCI NIC Driver
Scan
SkinsHP1
TeamViewer 4
TrayApp
Unload
VideoLAN VLC media player 0.8.6f
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR gestione archivi
Yahoo! Messenger
Yahoo! Toolbar

==== End Of File ===========================

#10 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 26 February 2009 - 03:40 AM

Let us review and I'll get back with you.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#11 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 27 February 2009 - 04:25 AM

Please update MBAM and scan again and post back that log.

Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then RESTART the computer

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#12 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 27 February 2009 - 04:40 AM

Malwarebytes' Anti-Malware 1.34
Database version: 1809
Windows 5.1.2600 Service Pack 3

27/02/2009 10.36.29
mbam-log-2009-02-27 (10-36-29).txt

Scan type: Quick Scan
Objects scanned: 62036
Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gbookehd (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gbookehd (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gbookehd (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lhfsq.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\mzoieeto.dat (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\gbookehd.sys (Trojan.Agent) -> Delete on reboot.

#13 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 27 February 2009 - 04:52 AM

It looks like it found the ones I was going to mark in CF. Please reboot and do another Quick Scan and post back that log.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#14 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 27 February 2009 - 05:04 AM

Could this be real?

Malwarebytes' Anti-Malware 1.34
Database version: 1809
Windows 5.1.2600 Service Pack 3

27/02/2009 11.02.31
mbam-log-2009-02-27 (11-02-31).txt

Scan type: Quick Scan
Objects scanned: 62107
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 27 February 2009 - 05:05 AM

Yep, that's why we wanted the information so we could remove it for you and anyone else that has this same infection.

Let's do an online scan to make sure you don't have anything else.


Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#16 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 27 February 2009 - 11:14 AM

O.k. sorry this took a long time.

1, When I finished updating Kaspersky, there was no place to change from standard to extended but since it took more than 4 hours, I'm sure it was the extended.

2, I stopped the scan prematurlly because it started scanning the other computers in our network here. So the result is my computer.

3, I noticed the virus it found is on my "D" drive. I have a program called Cobian Backup that backs up on my "D" drive. I was waiting to do a new scan when my computer is clean, so maybe I can just delete the older folders where it found it.

4, Below are the logs requested.

P.S. One more thing, can you explain how I got the viruses in the first place and how I can protect myself in the future?

By the way, my computer works great!!! I don't think it's ever run this way.

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, February 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, February 27, 2009 10:57:44
Records in database: 1851898
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
Y:\
Z:\

Scan statistics:
Files scanned: 179851
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 04:14:38


File name / Threat name / Threats count
D:\BACKUP\Documents and Settings 2009-01-23 12;01;16\Administrator\Documenti\Panda_Internet_Security_2008_v12.00.00\Panda Internet Security 2008 v12.00.00\P08promo.exe Infected: Trojan.Win32.Delf.fvq 1

The scan was stopped by the user.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.01.54, on 27/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programmi\Google\Update\GoogleUpdate.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Cobian Backup 9\Cobian.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Cobian Backup 9\cbInterface.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.cattex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programmi\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=030709 serial=DR12WUX-0606061-ZVY lang=IT
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cobian Backup 9] "C:\Programmi\Cobian Backup 9\Cobian.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with Rapget - C:\Programmi\RAPidshareGET\RapGet\rapget.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9}: NameServer = 151.99.125.2,151.99.125.3
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c98872a1038402) (gupdate1c98872a1038402) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

--
End of file - 8088 bytes

#17 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 28 February 2009 - 01:17 AM

No, luckily for you it was just a Trojan on your D: drive. If it had been Virut your computer would be completely trashed and useless as well as any other computer on the Network that was not protected from it. Very nasty little Virus that one.

Too difficult to say where or how you got it directly. AV definitions not up to date, Microsoft Critical Updates not up to date, exploited software like Java and Acrobat?

Please update your current Anti-Virus and do a FULL SYSTEM scan and let me know if it finds anything.

First let's remove some tools used so it doesn't find them.


Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP 1

Uninstall ComboFix.exe

  • Click START then RUN
  • Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • Posted Image

  • When shown the disclaimer, Select "2"
Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe


STEP 2

Uninstall GMER
Click on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.


STEP 3

Uninstall other tools
Please Download OTMoveIt3 by Old Timer and save it to your Desktop.

  • Double-click OTMoveIt3.exe to run it.
  • While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.
    NOW please reboot your computer to finish the cleanup process






Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.




Then do the Anti-Virus scan and post back the results.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#18 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 02 March 2009 - 03:16 AM

Below are the scan results as requested.


Scan performed at: 02/03/2009 8.38.18
Scanning Log
NOD32 version 3894 (20090227) NT
Operating memory - is OK

Date: 2.3.2009 Time: 08:38:21
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:; D:; E:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\Administrator\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\Administrator\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
D:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
E:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
Number of scanned files: 135101
Number of threats found: 0
Time of completion: 09:12:13 Total scanning time: 2032 sec (00:33:52)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

#19 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,015 posts
  • Gender:Male
  • Location:US

Posted 02 March 2009 - 03:47 AM

All looks good now.

How is the computer running?
Are there still any signs of an infection?

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#20 italianballoonguy

italianballoonguy

    New Member

  • Members
  • Pip
  • 12 posts

Posted 02 March 2009 - 03:54 AM

Nope. Everything seems to be running just fine. I just wanted to thank you for all of this. I don't know what I would of done without people like you who are able to help dum asses like me.

One last question. Since I am constantly downloading from the internet, what would you recomend I have on my computer to prevent unwanted viruses etc.?

I have Nod32 antivirus and Malwarebytes on my computer. Is this enough?

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users