italianballoonguy

Trojan BHO.H removal please!!!

21 posts in this topic

I have preformed the quick scan saved log file and rebooted. Preformed the quick scan again and the same result. I have also installed & ran the Hijack this. Below are my log files. Please help!!

Malwarebytes' Anti-Malware 1.34

Database version: 1798

Windows 5.1.2600 Service Pack 3

24/02/2009 10.39.02

mbam-log-2009-02-24 (10-39-02).txt

Scan type: Quick Scan

Objects scanned: 65943

Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\lhfsq.dll (Trojan.BHO.H) -> Delete on reboot.

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\mzoieeto.dat (Rootkit.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10.39.34, on 24/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programmi\Bonjour\mDNSResponder.exe

C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Programmi\Eset\nod32krn.exe

C:\Programmi\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Programmi\iTunes\iTunesHelper.exe

C:\Programmi\HP\HP Software Update\HPWuSchd2.exe

C:\Programmi\HP\hpcoretech\hpcmpmgr.exe

C:\Programmi\Eset\nod32kui.exe

C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe

C:\Programmi\Cobian Backup 9\Cobian.exe

C:\PVSW\Bin\w3dbsmgr.exe

C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe

C:\Programmi\Cobian Backup 9\cbInterface.exe

C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe

C:\Programmi\iPod\bin\iPodService.exe

C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe

C:\Programmi\Yahoo!\Messenger\ymsgr_tray.exe

C:\Programmi\Internet Explorer\iexplore.exe

C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.cattex.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7B073803-CFDF-4390-9D9B-078036B5E4D4} - C:\WINDOWS\system32\lhfsq.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programmi\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=030709 serial=DR12WUX-0606061-ZVY lang=IT

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Cobian Backup 9] "C:\Programmi\Cobian Backup 9\Cobian.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe

O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Orbit.lnk = C:\Programmi\Orbitdownloader\orbitdm.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: Download with Rapget - C:\Programmi\RAPidshareGET\RapGet\rapget.htm

O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9}: NameServer = 151.99.125.2,151.99.125.3

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate1c98872a1038402) (gupdate1c98872a1038402) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

--

End of file - 8549 bytes

Share this post


Link to post
Share on other sites

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Share this post


Link to post
Share on other sites

One thing, sorry I am responding soo late, but I live and work in Rome Italy. It is my work computer that is having the problem, but I can only get to it between the hours of 8:00 a.m. to around 6:00 p.m. I don't know where you are so I can't calculate time difference. I am able to stay longer if I know that you will be there to help, so let me know when you get this message where you are and between what times so I can try to be here at the same time.

O.k. I downloaded RootRepeal. I followed your instructions but when I start the scan, my screen turns black. When robooting I shut down my antivirus and Malwarebytes but scanning again sends me to a black screen again. The only way of getting out is rebooting from my "on" button.

I hope this isn't serious.

Thanks by the way for helping.

Share this post


Link to post
Share on other sites

The rootkit is probably blocking it.

Please see if you can run this one instead. As for time, it really doesn't matter. Basically move forward on tasks and post as you have them and when available I will respond. Thanks.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Share this post


Link to post
Share on other sites

Okay please run the following.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Share this post


Link to post
Share on other sites

ComboFix 09-02-24.02 - Administrator 2009-02-25 13.33.00.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2047.1558 [GMT 1:00]

Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Opzioni usate :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

* Creato nuovo punto di ripristino

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\resycled

E:\resycled

.

((((((((((((((((((((((((( Files Creati Da 2009-01-25 al 2009-02-25 )))))))))))))))))))))))))))))))))))

.

2009-03-02 09:00 . 2009-03-02 09:00 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware

2009-03-02 09:00 . 2009-03-02 09:00 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes

2009-03-02 09:00 . 2009-03-02 09:00 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes

2009-03-02 09:00 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-02 09:00 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-02 08:38 . 2009-03-02 08:47 <DIR> d-------- c:\programmi\Eset

2009-03-02 08:38 . 2009-03-02 08:38 512,096 --a------ c:\windows\system32\drivers\amon.sys

2009-03-02 08:38 . 2009-03-02 08:38 298,104 --a------ c:\windows\system32\imon.dll

2009-03-02 08:38 . 2009-03-02 08:38 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys

2009-02-25 13:22 . 2009-02-25 13:22 <DIR> d-------- c:\windows\LastGood

2009-02-25 10:48 . 2009-02-25 10:48 521 --a------ C:\gmer.zip

2009-02-25 10:18 . 2009-02-25 11:01 250 --a------ c:\windows\gmer.ini

2009-02-25 08:36 . 2008-12-20 18:00 446,464 --a------ C:\RootRepeal.exe

2009-02-25 08:36 . 2009-02-25 08:36 0 --a------ C:\settings.dat

2009-02-24 10:39 . 2009-02-24 10:39 <DIR> d-------- c:\programmi\Trend Micro

2009-02-19 10:42 . 2009-02-19 10:42 <DIR> d-------- c:\programmi\Windows Media Connect 2

2009-02-19 10:41 . 2009-02-19 10:41 <DIR> d-------- c:\windows\system32\drivers\UMDF

2009-02-06 16:46 . 2009-02-11 13:23 <DIR> d-------- c:\programmi\Google

2009-02-06 16:46 . 2009-02-25 11:21 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Google Updater

2009-02-05 13:57 . 2009-02-05 13:57 320 --------- c:\windows\barcode.ini

2009-02-05 13:07 . 2009-02-05 13:23 <DIR> d-------- C:\easy

2009-02-05 12:40 . 2009-02-05 12:40 <DIR> d-------- c:\programmi\Seagate Software

2009-02-05 12:39 . 2009-02-05 12:39 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-02-05 12:39 . 1999-03-02 08:13 521,632 --------- c:\windows\system32\MAPI.DLL

2009-02-05 09:48 . 2009-02-05 09:48 49,152 --------- c:\windows\DBNAMES.CFG

2009-02-05 09:47 . 2009-02-05 12:45 298 --------- c:\windows\bti.ini

2009-02-05 09:40 . 2009-02-05 09:49 <DIR> d-------- C:\PVSW

2009-02-05 09:40 . 2009-02-05 09:40 <DIR> d-------- c:\programmi\File comuni\Pervasive Software Shared

2009-02-05 09:40 . 1998-10-29 15:45 306,688 --------- c:\windows\IsUninst.exe

2009-02-05 09:40 . 2002-07-20 19:36 251,016 --------- c:\windows\system32\keyhelp.ocx

2009-02-05 09:40 . 2002-06-30 18:40 19,456 --------- c:\windows\keyhh.exe

2009-02-05 09:36 . 2009-02-05 09:36 544,816 --------- c:\windows\system32\pscl.dll

2009-02-05 09:36 . 2009-02-05 09:36 254,002 --------- c:\windows\system32\pscore.dll

2009-02-05 09:36 . 2009-02-05 09:36 146,976 --------- c:\windows\system32\mfcoleui.dll

2009-02-05 09:36 . 2009-02-05 09:36 43,760 --------- c:\windows\system32\nwlocale.dll

2009-02-05 09:34 . 2009-02-05 09:34 <DIR> d-------- c:\programmi\TeamViewer

2009-02-05 09:34 . 2009-02-05 09:34 <DIR> d-------- c:\documents and settings\Administrator\temp

2009-02-05 09:34 . 2009-02-05 09:34 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\TeamViewer

2009-02-02 18:33 . 2009-02-02 18:35 <DIR> d-------- c:\programmi\Yahoo!

2009-02-02 18:05 . 2009-02-02 18:05 <DIR> d-------- c:\programmi\AVG

2009-01-27 08:54 . 2009-01-27 08:54 102 --------- c:\windows\system32\UserRequest_1233042841.tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-25 12:25 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Orbit

2009-02-05 11:40 --------- d-----w c:\programmi\File comuni\InstallShield

2009-02-02 17:34 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Yahoo!

2009-01-27 13:42 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Apple Computer

2009-01-24 14:16 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\GrabPro

2009-01-23 19:09 --------- d-----w c:\programmi\Agere

2009-01-23 18:56 --------- d-----w c:\programmi\Intel

2009-01-23 18:45 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage

2009-01-23 12:28 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\vlc

2009-01-23 10:18 --------- d-----w c:\programmi\HP

2009-01-23 10:18 --------- d-----w c:\programmi\Hewlett-Packard

2009-01-23 10:18 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Hewlett-Packard

2009-01-23 10:16 --------- d-----w c:\programmi\File comuni\HP

2009-01-23 10:16 --------- d-----w c:\programmi\File comuni\Hewlett-Packard

2009-01-22 17:50 --------- d-----w c:\programmi\MSXML 4.0

2009-01-22 17:29 --------- d-----w c:\programmi\iTunes

2009-01-22 17:29 --------- d-----w c:\programmi\iPod

2009-01-22 17:29 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-22 17:28 --------- d-----w c:\programmi\QuickTime

2009-01-22 17:28 --------- d-----w c:\programmi\File comuni\Apple

2009-01-22 17:28 --------- d-----w c:\programmi\Bonjour

2009-01-22 17:28 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Apple Computer

2009-01-22 17:27 --------- d-----w c:\programmi\Apple Software Update

2009-01-22 17:27 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Apple

2009-01-22 14:27 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Yahoo! Companion

2009-01-22 14:27 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Yahoo!

2009-01-22 12:44 --------- d-----w c:\programmi\VideoLAN

2009-01-22 12:43 --------- d-----w c:\programmi\RAPidshareGET

2009-01-22 11:57 --------- d-----w c:\programmi\File comuni\Adobe

2009-01-22 08:03 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Microsoft Help

2009-01-21 09:22 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Corel

2009-01-21 09:20 --------- d-----w c:\programmi\File comuni\Corel

2009-01-21 09:19 --------- d-----w c:\programmi\Corel

2009-01-21 09:08 --------- d-----w c:\programmi\Microsoft Works

2009-01-20 21:50 --------- d-----w c:\programmi\Cobian Backup 9

2009-01-20 21:36 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Ahead

2009-01-20 21:18 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Ahead

2009-01-20 21:17 --------- d-----w c:\programmi\File comuni\Ahead

2009-01-20 21:16 --------- d-----w c:\programmi\Nero

2009-01-20 21:16 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Nero

2009-01-20 20:53 118,528 ----a-w c:\windows\system32\lhfsq.dll

2009-01-20 20:52 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\sentinel

2009-01-20 20:48 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Backup

2009-01-20 20:37 --------- d-----w c:\programmi\Realtek

2009-01-20 20:37 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\InstallShield

2009-01-20 19:57 --------- d-----w c:\programmi\microsoft frontpage

2009-01-20 19:56 --------- d-----w c:\programmi\Servizi in linea

2008-12-20 22:31 826,368 ------w c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B073803-CFDF-4390-9D9B-078036B5E4D4}]

2009-01-20 21:53 118528 --a------ c:\windows\system32\lhfsq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]

"Cobian Backup 9"="c:\programmi\Cobian Backup 9\Cobian.exe" [2008-09-21 579584]

"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]

"Messenger (Yahoo!)"="c:\programmi\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"CorelDRAW Graphics Suite 11b"="c:\programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe" [2003-11-28 733184]

"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2008-09-10 289576]

"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]

"HP Component Manager"="c:\programmi\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2009-03-02 949376]

"Malwarebytes' Anti-Malware"="c:\programmi\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]

"SoundMan"="SOUNDMAN.EXE" [2006-04-01 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\Bin\w3dbsmgr.exe [2003-10-29 106546]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\

Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-14 53248]

HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-14 241664]

Orbit.lnk - c:\programmi\Orbitdownloader\orbitdm.exe [2009-01-23 1711304]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=

"c:\\Programmi\\iTunes\\iTunes.exe"=

"c:\\Programmi\\Orbitdownloader\\orbitnet.exe"=

"c:\\PVSW\\Bin\\w3dbsmgr.exe"=

R0 gbookehd;gbookehd;c:\windows\system32\drivers\gbookehd.sys [2001-08-31 23424]

R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2009-01-20 110128]

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2009-01-20 17328]

R0 WDMCAPI;ISDN PCI CAPI;c:\windows\system32\drivers\WDMCAPI.sys [2009-01-23 774045]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-03-02 15424]

R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-02 179856]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-02 15504]

R3 WDMWANMP;NDIS WAN miniport;c:\windows\system32\drivers\wdmwanmp.sys [2009-01-23 28800]

S2 gupdate1c98872a1038402;Google Update Service (gupdate1c98872a1038402);c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{402afc05-eb9b-11dd-a5c5-487444737531}]

\Shell\AutoRun\command - .\run\autorun.exe

\Shell\open\Command - .\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7a0766-e851-11dd-a5ba-000c765029c1}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com i:

\Shell\Open\command - resycled\boot.com i:

.

Contenuto della cartella 'Scheduled Tasks'

2009-02-25 c:\windows\Tasks\Google Software Updater.job

- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 16:46]

2009-02-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 16:50]

2009-02-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Administrator.job

- c:\programmi\Malwarebytes' Anti-Malware\mbam.exe [2009-02-11 10:19]

.

- - - - CHIAVI ORFANE RIMOSSE - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Notify-avldr - (no file)

.

------- Scansione supplementare -------

.

uStart Page = hxxp://store.cattex.com/

uInternet Connection Wizard,ShellNext = hxxp://www.google.it/

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/202

IE: Download with Rapget - c:\programmi\RAPidshareGET\RapGet\rapget.htm

IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\imon.dll

TCP: {4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9} = 151.99.125.2,151.99.125.3

FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\gvxcxtgt.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://store.cattex.com

FF - plugin: c:\programmi\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll

FF - plugin: c:\programmi\Google\Update\1.2.141.5\npGoogleOneClick7.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-25 13:35:38

Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo

Files nascosti: 0

**************************************************************************

.

--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(640)

c:\windows\system32\imon.dll

.

Ora fine scansione: 2009-02-25 13.38.36

ComboFix-quarantined-files.txt 2009-02-25 12:37:25

Pre-Run: 140.845.502.464 byte disponibili

Post-Run: 145,406,226,432 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

227 --- E O F --- 2009-02-27 15:32:34

Malwarebytes' Anti-Malware 1.34

Database version: 1801

Windows 5.1.2600 Service Pack 3

25/02/2009 13.44.35

mbam-log-2009-02-25 (13-44-28).txt

Scan type: Quick Scan

Objects scanned: 61623

Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\lhfsq.dll (Trojan.BHO.H) -> No action taken.

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\mzoieeto.dat (Rootkit.Agent) -> No action taken.

Share this post


Link to post
Share on other sites

Please run the following tool

Download DDS and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Share this post


Link to post
Share on other sites

The program asked my to ZIP the "ATTACH" file but it won't let me attach it, so I just copied it below. Good morning by the way.

DDS (Ver_09-02-01.01) - NTFSx86

Run by Administrator at 8.08.44,20 on 26/02/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1598 [GMT 1:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programmi\Bonjour\mDNSResponder.exe

C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Programmi\Google\Update\GoogleUpdate.exe

C:\Programmi\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Programmi\iTunes\iTunesHelper.exe

C:\Programmi\HP\HP Software Update\HPWuSchd2.exe

C:\Programmi\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe

C:\Programmi\Cobian Backup 9\Cobian.exe

C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe

C:\PVSW\Bin\w3dbsmgr.exe

C:\Programmi\iPod\bin\iPodService.exe

C:\Programmi\Cobian Backup 9\cbInterface.exe

C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe

C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://store.cattex.com/

uInternet Connection Wizard,ShellNext = hxxp://www.google.it/

uInternet Settings,ProxyOverride = *.local

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\programmi\orbitdownloader\orbitcth.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: NoExplorer - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {7b073803-cfdf-4390-9d9b-078036b5e4d4} - c:\windows\system32\lhfsq.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\programmi\orbitdownloader\GrabPro.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programmi\file comuni\ahead\lib\NMBgMonitor.exe"

uRun: [Cobian Backup 9] "c:\programmi\cobian backup 9\Cobian.exe"

uRun: [MSMSGS] "c:\programmi\messenger\msmsgs.exe" /background

uRun: [Messenger (Yahoo!)] "c:\programmi\yahoo!\messenger\YahooMessenger.exe" -quiet

mRun: [soundMan] SOUNDMAN.EXE

mRun: [NeroFilterCheck] c:\programmi\file comuni\ahead\lib\NeroCheck.exe

mRun: [CorelDRAW Graphics Suite 11b] c:\programmi\corel\corel graphics 12\languages\it\programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=030709 serial=DR12WUX-0606061-ZVY lang=IT

mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"

mRun: [HP Software Update] "c:\programmi\hp\hp software update\HPWuSchd2.exe"

mRun: [HP Component Manager] "c:\programmi\hp\hpcoretech\hpcmpmgr.exe"

mRun: [nod32kui] "c:\programmi\eset\nod32kui.exe" /WAITSERVICE

mRun: [Malwarebytes' Anti-Malware] "c:\programmi\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\admini~1\menuav~1\progra~1\esecuz~1\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avvior~1.lnk - c:\programmi\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpdigi~1.lnk - c:\programmi\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\orbit.lnk - c:\programmi\orbitdownloader\orbitdm.exe

IE: &Download by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\programmi\orbitdownloader\orbitmxt.dll/202

IE: Download with Rapget - c:\programmi\rapidshareget\rapget\rapget.htm

IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: c:\windows\system32\imon.dll

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

TCP: {4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9} = 151.99.125.2,151.99.125.3

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\programmi\hp\hpcoretech\comp\hpuiprot.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datiap~1\mozilla\firefox\profiles\gvxcxtgt.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://store.cattex.com

FF - plugin: c:\programmi\google\google updater\2.4.1487.6512\npCIDetect13.dll

FF - plugin: c:\programmi\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 gbookehd;gbookehd;c:\windows\system32\drivers\gbookehd.sys [2001-8-31 23424]

R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2009-1-20 110128]

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2009-1-20 17328]

R0 WDMCAPI;ISDN PCI CAPI;c:\windows\system32\drivers\WDMCAPI.sys [2009-1-23 774045]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-3-2 15424]

R2 MBAMService;MBAMService;c:\programmi\malwarebytes' anti-malware\mbamservice.exe [2009-3-2 179856]

R2 NOD32krn;NOD32 Kernel Service;c:\programmi\eset\nod32krn.exe [2009-3-2 552064]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-3-2 15504]

R3 WDMWANMP;NDIS WAN miniport;c:\windows\system32\drivers\wdmwanmp.sys [2009-1-23 28800]

S2 gupdate1c98872a1038402;Google Update Service (gupdate1c98872a1038402);c:\programmi\google\update\GoogleUpdate.exe [2009-2-6 133104]

=============== Created Last 30 ================

2009-02-25 13:32 <DIR> a-dshr-- C:\cmdcons

2009-02-25 13:29 161,792 a------- c:\windows\SWREG.exe

2009-02-25 13:29 98,816 a------- c:\windows\sed.exe

2009-02-25 10:48 521 a------- C:\gmer.zip

2009-02-25 10:18 250 a------- c:\windows\gmer.ini

2009-02-25 08:36 0 a------- C:\settings.dat

2009-02-25 08:36 446,464 a------- C:\RootRepeal.exe

2009-02-24 10:39 <DIR> --d----- c:\programmi\Trend Micro

2009-02-19 10:42 <DIR> --d----- c:\programmi\Windows Media Connect 2

2009-02-05 13:57 320 -------- c:\windows\barcode.ini

2009-02-05 13:07 <DIR> --d----- C:\easy

2009-02-05 12:40 <DIR> --d----- c:\programmi\Seagate Software

2009-02-05 12:39 521,632 -------- c:\windows\system32\MAPI.DLL

2009-02-05 12:39 <DIR> --d----- c:\documents and settings\administrator\WINDOWS

2009-02-05 09:48 49,152 -------- c:\windows\DBNAMES.CFG

2009-02-05 09:47 298 -------- c:\windows\bti.ini

2009-02-05 09:40 <DIR> --d----- c:\programmi\file comuni\Pervasive Software Shared

2009-02-05 09:40 251,016 -------- c:\windows\system32\keyhelp.ocx

2009-02-05 09:40 19,456 -------- c:\windows\keyhh.exe

2009-02-05 09:40 306,688 -------- c:\windows\IsUninst.exe

2009-02-05 09:40 <DIR> --d----- C:\PVSW

2009-02-05 09:36 544,816 -------- c:\windows\system32\pscl.dll

2009-02-05 09:36 254,002 -------- c:\windows\system32\pscore.dll

2009-02-05 09:36 146,976 -------- c:\windows\system32\mfcoleui.dll

2009-02-05 09:36 43,760 -------- c:\windows\system32\nwlocale.dll

2009-02-05 09:34 <DIR> --d----- c:\docume~1\admini~1\datiap~1\TeamViewer

2009-02-05 09:34 <DIR> --d----- c:\programmi\TeamViewer

2009-02-05 09:34 <DIR> --d----- c:\documents and settings\administrator\temp

2009-02-02 18:33 <DIR> --d----- c:\programmi\Yahoo!

2009-02-02 18:05 <DIR> --d----- c:\programmi\AVG

2009-01-27 08:54 102 -------- c:\windows\system32\UserRequest_1233042841.tmp

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-23 11:19 85,264 -------- c:\windows\hpgins01.dat

2009-01-21 17:09 86,327 -------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2009-01-20 21:53 118,528 a------- c:\windows\system32\lhfsq.dll

2009-01-20 20:54 21,840 -------- c:\windows\system32\emptyregdb.dat

2008-12-20 23:31 826,368 -------- c:\windows\system32\wininet.dll

============= FINISH: 8.09.02,29 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 20/01/2009 20.59.37

System Uptime: 26/02/2009 7.57.14 (1 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577

Processor: Intel® Pentium® 4 CPU 2.60GHz | Socket 478 | 2600/100mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 134,745 GiB free.

D: is FIXED (NTFS) - 112 GiB total, 59,667 GiB free.

E: is FIXED (NTFS) - 56 GiB total, 42,009 GiB free.

G: is CDROM (CDFS)

H: is CDROM ()

Y: is NetworkDisk (NTFS) - 98 GiB total, 80,434 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP8: 20/01/2009 22.29.10 - Punto di arresto del sistema

RP9: 21/01/2009 10.06.30 - Installed Microsoft Office Word 2007

RP10: 21/01/2009 10.12.41 - Installed Microsoft Office Excel 2007

RP11: 21/01/2009 10.19.44 - CorelDRAW Graphics Suite 12 installato

RP12: 22/01/2009 12.21.16 - Punto di arresto del sistema

RP13: 22/01/2009 13.43.22 - Installed RapGet

RP14: 22/01/2009 15.43.23 - Software Distribution Service 3.0

RP15: 22/01/2009 18.28.55 - iTunes installato

RP16: 22/01/2009 18.49.20 - Software Distribution Service 3.0

RP17: 23/01/2009 7.53.13 - Software Distribution Service 3.0

RP18: 23/01/2009 11.59.52 - Software Distribution Service 3.0

RP19: 23/01/2009 20.09.29 - Installed Agere Ethernet Adapter

RP20: 23/01/2009 20.23.49 - Aggiorna a driver privo di firma digitale

RP21: 24/01/2009 17.01.09 - Software Distribution Service 3.0

RP22: 26/01/2009 8.31.07 - Software Distribution Service 3.0

RP23: 27/01/2009 12.34.13 - Punto di arresto del sistema

RP24: 27/01/2009 15.41.58 - Rimosso Panda Internet Security 2008

RP25: 27/09/2001 16.51.23 - Installed Panda Internet Security 2008

RP26: 28/09/2001 17.45.01 - Punto di arresto del sistema

RP27: 30/01/2009 12.29.51 - Punto di arresto del sistema

RP28: 02/02/2009 12.17.39 - Punto di arresto del sistema

RP29: 02/02/2009 17.55.35 - Removed Panda Internet Security 2008

RP30: 02/02/2009 18.05.29 - Installed AVG 8.0

RP31: 03/02/2009 9.45.49 - Avg8 Update

RP32: 03/02/2009 9.58.57 - Avg8 Update

RP33: 04/02/2009 12.17.49 - Punto di arresto del sistema

RP34: 05/02/2009 9.47.04 - Installed Pervasive.SQL V8 Workgroup (v8.5)

RP35: 05/02/2009 12.40.45 - Microsoft Visual C++ 2005 Redistributable installato

RP36: 06/02/2009 12.55.18 - Punto di arresto del sistema

RP37: 08/02/2009 12.26.02 - Punto di arresto del sistema

RP38: 09/02/2009 12.35.58 - Punto di arresto del sistema

RP39: 10/02/2009 8.46.55 - Avg8 Update

RP40: 11/02/2009 11.05.56 - Software Distribution Service 3.0

RP41: 12/02/2009 12.19.25 - Punto di arresto del sistema

RP42: 13/02/2009 11.41.38 - Avg8 Update

RP43: 14/02/2009 15.49.01 - Punto di arresto del sistema

RP44: 16/02/2009 12.25.01 - Punto di arresto del sistema

RP45: 17/02/2009 13.04.08 - Punto di arresto del sistema

RP46: 19/02/2009 10.32.41 - Installed Windows Media Player 11

RP47: 19/02/2009 10.40.32 - Software Distribution Service 3.0

RP48: 19/02/2009 12.33.28 - Software Distribution Service 3.0

RP49: 20/02/2009 11.25.18 - Removed AVG 8.0

RP50: 20/02/2009 11.26.16 - Installed AVG 8.0

RP51: 27/09/2001 12.02.49 - Installed Panda Internet Security 2008

RP52: 27/09/2001 13.01.34 - Removed Panda Internet Security 2008

RP53: 27/09/2001 13.15.48 - Installed AVG 8.0

RP54: 27/09/2001 13.36.55 - Avg8 Update

RP55: 27/09/2001 13.51.36 - Avg8 Update

RP56: 27/02/2009 16.32.13 - Software Distribution Service 3.0

RP57: 02/03/2009 8.34.21 - Removed AVG 8.0

RP58: 02/03/2009 8.34.59 - Installed AVG 8.0

RP59: 23/02/2009 10.04.44 - Punto di arresto del sistema

RP60: 24/02/2009 12.21.10 - Punto di arresto del sistema

RP61: 25/02/2009 13.30.02 - ComboFix created restore point

RP62: 25/02/2009 17.28.19 - Software Distribution Service 3.0

==== Installed Programs ======================

[esatto 2004] (Moduli a 32 Bit)

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.3

Agere Ethernet Adapter

Aggiornamento della protezione per Windows Internet Explorer 7 (KB938127-v2)

Aggiornamento della protezione per Windows Internet Explorer 7 (KB956390)

Aggiornamento della protezione per Windows Internet Explorer 7 (KB958215)

Aggiornamento della protezione per Windows Internet Explorer 7 (KB960714)

Aggiornamento della protezione per Windows Internet Explorer 7 (KB961260)

Aggiornamento della protezione per Windows Media Player (KB952069)

Aggiornamento della protezione per Windows Media Player 11 (KB936782)

Aggiornamento della protezione per Windows Media Player 11 (KB954154)

Aggiornamento della protezione per Windows XP (KB923689)

Aggiornamento della protezione per Windows XP (KB938464)

Aggiornamento della protezione per Windows XP (KB941569)

Aggiornamento della protezione per Windows XP (KB946648)

Aggiornamento della protezione per Windows XP (KB950762)

Aggiornamento della protezione per Windows XP (KB950974)

Aggiornamento della protezione per Windows XP (KB951066)

Aggiornamento della protezione per Windows XP (KB951376-v2)

Aggiornamento della protezione per Windows XP (KB951698)

Aggiornamento della protezione per Windows XP (KB951748)

Aggiornamento della protezione per Windows XP (KB952954)

Aggiornamento della protezione per Windows XP (KB954211)

Aggiornamento della protezione per Windows XP (KB954459)

Aggiornamento della protezione per Windows XP (KB954600)

Aggiornamento della protezione per Windows XP (KB955069)

Aggiornamento della protezione per Windows XP (KB956391)

Aggiornamento della protezione per Windows XP (KB956802)

Aggiornamento della protezione per Windows XP (KB956803)

Aggiornamento della protezione per Windows XP (KB956841)

Aggiornamento della protezione per Windows XP (KB957097)

Aggiornamento della protezione per Windows XP (KB958215)

Aggiornamento della protezione per Windows XP (KB958644)

Aggiornamento della protezione per Windows XP (KB958687)

Aggiornamento della protezione per Windows XP (KB960714)

Aggiornamento della protezione per Windows XP (KB960715)

Aggiornamento per Windows XP (KB898461)

Aggiornamento per Windows XP (KB951978)

Aggiornamento per Windows XP (KB955839)

Aggiornamento per Windows XP (KB967715)

Aggiornamento rapido per Windows Media Player 11 (KB939683)

Aggiornamento rapido per Windows XP (KB952287)

Apple Mobile Device Support

Apple Software Update

Bonjour

Cobian Backup 9

Copy

CorelDRAW Graphics Suite 12

CreativeProjects

CreativeProjectsTemplates

CueTour

Destinations

Director

DocProc

Google Chrome

Google Earth

Google Update Helper

Google Updater

HijackThis 2.0.2

Hotfix for Windows Media Format 11 SDK (KB929399)

HP Diagnostic Assistant

HP Image Zone 4.0

HP Scanjet 4600

HP Software Update

hpg4600

HPSystemDiagnostics

InstantShare

iTunes

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 1.1 Italian Language Pack

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Excel 2007

Microsoft Office Excel MUI (Italian) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (German) 2007

Microsoft Office Proof (Italian) 2007

Microsoft Office Proofing (Italian) 2007

Microsoft Office Shared MUI (Italian) 2007

Microsoft Office Word 2007

Microsoft Office Word MUI (Italian) 2007

Microsoft Software Update for Web Folders (Italian) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox (3.0.6)

MSXML 4.0 SP2 (KB954430)

MyIdentityDefender Toolbar (CyberDefender Corporation)

Nero 7 Ultra Edition

neroxml

NOD32 antivirus system

NOD32 FiX v2.1

Orbit Downloader

Overland

Panda Internet Security 2009

Pervasive System Analyzer

Pervasive.SQL V8 Workgroup (v8.5)

PhotoGallery

PrintScreen

QFolder

QuickProjects

QuickTime

RapGet

REALTEK GbE & FE Ethernet PCI NIC Driver

Scan

SkinsHP1

TeamViewer 4

TrayApp

Unload

VideoLAN VLC media player 0.8.6f

WebFldrs XP

WebReg

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Player 11

WinRAR gestione archivi

Yahoo! Messenger

Yahoo! Toolbar

==== End Of File ===========================

Share this post


Link to post
Share on other sites

Please update MBAM and scan again and post back that log.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.34

Database version: 1809

Windows 5.1.2600 Service Pack 3

27/02/2009 10.36.29

mbam-log-2009-02-27 (10-36-29).txt

Scan type: Quick Scan

Objects scanned: 62036

Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{7b073803-cfdf-4390-9d9b-078036b5e4d4} (Trojan.BHO.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gbookehd (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gbookehd (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gbookehd (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\lhfsq.dll (Trojan.BHO.H) -> Delete on reboot.

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\mzoieeto.dat (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\gbookehd.sys (Trojan.Agent) -> Delete on reboot.

Share this post


Link to post
Share on other sites

It looks like it found the ones I was going to mark in CF. Please reboot and do another Quick Scan and post back that log.

Share this post


Link to post
Share on other sites

Could this be real?

Malwarebytes' Anti-Malware 1.34

Database version: 1809

Windows 5.1.2600 Service Pack 3

27/02/2009 11.02.31

mbam-log-2009-02-27 (11-02-31).txt

Scan type: Quick Scan

Objects scanned: 62107

Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Yep, that's why we wanted the information so we could remove it for you and anyone else that has this same infection.

Let's do an online scan to make sure you don't have anything else.

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Share this post


Link to post
Share on other sites

O.k. sorry this took a long time.

1, When I finished updating Kaspersky, there was no place to change from standard to extended but since it took more than 4 hours, I'm sure it was the extended.

2, I stopped the scan prematurlly because it started scanning the other computers in our network here. So the result is my computer.

3, I noticed the virus it found is on my "D" drive. I have a program called Cobian Backup that backs up on my "D" drive. I was waiting to do a new scan when my computer is clean, so maybe I can just delete the older folders where it found it.

4, Below are the logs requested.

P.S. One more thing, can you explain how I got the viruses in the first place and how I can protect myself in the future?

By the way, my computer works great!!! I don't think it's ever run this way.

KASPERSKY ONLINE SCANNER 7 REPORT

Friday, February 27, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Friday, February 27, 2009 10:57:44

Records in database: 1851898

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

G:\

H:\

Y:\

Z:\

Scan statistics:

Files scanned: 179851

Threat name: 1

Infected objects: 1

Suspicious objects: 0

Duration of the scan: 04:14:38

File name / Threat name / Threats count

D:\BACKUP\Documents and Settings 2009-01-23 12;01;16\Administrator\Documenti\Panda_Internet_Security_2008_v12.00.00\Panda Internet Security 2008 v12.00.00\P08promo.exe Infected: Trojan.Win32.Delf.fvq 1

The scan was stopped by the user.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17.01.54, on 27/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programmi\Bonjour\mDNSResponder.exe

C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Programmi\Google\Update\GoogleUpdate.exe

C:\Programmi\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Programmi\iTunes\iTunesHelper.exe

C:\Programmi\HP\HP Software Update\HPWuSchd2.exe

C:\Programmi\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe

C:\Programmi\Cobian Backup 9\Cobian.exe

C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe

C:\PVSW\Bin\w3dbsmgr.exe

C:\Programmi\iPod\bin\iPodService.exe

C:\Programmi\Cobian Backup 9\cbInterface.exe

C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe

C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe

C:\Programmi\Java\jre6\bin\jqs.exe

C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.cattex.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programmi\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=030709 serial=DR12WUX-0606061-ZVY lang=IT

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Cobian Backup 9] "C:\Programmi\Cobian Backup 9\Cobian.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe

O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: Download with Rapget - C:\Programmi\RAPidshareGET\RapGet\rapget.htm

O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC5ECDB-85B4-403F-A5B7-6E83CCDE1AD9}: NameServer = 151.99.125.2,151.99.125.3

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate1c98872a1038402) (gupdate1c98872a1038402) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

--

End of file - 8088 bytes

Share this post


Link to post
Share on other sites

No, luckily for you it was just a Trojan on your D: drive. If it had been Virut your computer would be completely trashed and useless as well as any other computer on the Network that was not protected from it. Very nasty little Virus that one.

Too difficult to say where or how you got it directly. AV definitions not up to date, Microsoft Critical Updates not up to date, exploited software like Java and Acrobat?

Please update your current Anti-Virus and do a FULL SYSTEM scan and let me know if it finds anything.

First let's remove some tools used so it doesn't find them.

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP 1

Uninstall ComboFix.exe

  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    (if you renamed Combofix.exe use that name instead)
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    /U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe

STEP 2

Uninstall GMER

Click on
START - RUN
and type in or copy/paste
%windir%\gmer_uninstall.cmd
to remove GMER.

STEP 3

Uninstall other tools

Please
Download
OTMoveIt3
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt3.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

    NOW
    please reboot your computer to finish the cleanup process

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Then do the Anti-Virus scan and post back the results.

Share this post


Link to post
Share on other sites

Below are the scan results as requested.

Scan performed at: 02/03/2009 8.38.18

Scanning Log

NOD32 version 3894 (20090227) NT

Operating memory - is OK

Date: 2.3.2009 Time: 08:38:21

Anti-Stealth technology is enabled.

Scanned disks, folders and files: C:; D:; E:

C:\hiberfil.sys - error opening (File locked) [4]

C:\pagefile.sys - error opening (File locked) [4]

C:\Documents and Settings\Administrator\NTUSER.DAT - error opening (File locked) [4]

C:\Documents and Settings\Administrator\ntuser.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]

C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]

C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]

C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]

C:\WINDOWS\system32\config\default - error opening (File locked) [4]

C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]

C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]

C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\software - error opening (File locked) [4]

C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\system - error opening (File locked) [4]

C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]

D:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]

E:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]

Number of scanned files: 135101

Number of threats found: 0

Time of completion: 09:12:13 Total scanning time: 2032 sec (00:33:52)

Notes:

[4] File cannot be opened. It may be in use by another application or operating system.

Share this post


Link to post
Share on other sites

All looks good now.

How is the computer running?

Are there still any signs of an infection?

Share this post


Link to post
Share on other sites

Nope. Everything seems to be running just fine. I just wanted to thank you for all of this. I don't know what I would of done without people like you who are able to help dum asses like me.

One last question. Since I am constantly downloading from the internet, what would you recomend I have on my computer to prevent unwanted viruses etc.?

I have Nod32 antivirus and Malwarebytes on my computer. Is this enough?

Thanks

Share this post


Link to post
Share on other sites

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.