Jump to content


Photo
- - - - -

SUSPECTED TROJAN!


  • This topic is locked This topic is locked
72 replies to this topic

#1 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 22 August 2006 - 10:02 AM

hi!
My internet connection falls after less that 15 minutes...It doesn't last more...
I don't know if my problem depends on internet or on a virus in my pc...My real time protector says that I have a trojan in my computer,but if I do a scan on the incriminated files I can't find the virus!
In any case I post you my logfile...so you can see what's up...
Maybe you can halp me...Thanks a lot!

My logfile

Logfile of HijackThis v1.99.1
Scan saved at 18.02.11, on 22/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

#2 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 25 August 2006 - 08:05 AM

Sorry for the delay, if you still need a hand, can you do the following please
Ensure that everything is running on startup in msconfig if you disabled any startup entries
Just to ensure, go to START>>RUN>>type in
msconfig
Under the Services tab Enable all>>click Apply
Under the Startup tab Enable all>>click Apply
Under the General tab ensure Normal startup is selected
Apply and close
Then reboot the computer afterwards

Come back here
and post a fresh hijackthis log please

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#3 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 27 August 2006 - 05:22 AM

Here I am!
First of all thank you for your help!
I did what you told me...Here is my fresh logfile

Logfile of HijackThis v1.99.1
Scan saved at 13.21.46, on 27/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

#4 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 27 August 2006 - 09:19 AM

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Save the rest of these instructions to a text file saved too desktop
for use in safe mode without Internet connection

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

Go to START>>RUN
Copy>>Paste the next command in bold and then hit OK

sc delete "Windows Log"

Find and delete the following files, exact file names and in the correct folder
C:\WINDOWS\system\smss.exe <-this file, DON'T try and delete smss.exe in the System32 folder
C:\WINDOWS\system32\nvsvcd.exe <-this file

Let me know if both files were found and deleted later

Navigate to the following temp folders and delete the WHOLE contents of each folder, including subfolders, but don't delete the temp folder itself
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Reboot back to Normal Windows

From my signature below,
Use INTERNET EXPLORER
Run an online virus scan at Kaspersky's
You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    ***Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    ***Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    ***Now click on the Save as Text button:
  • Save the file to your desktop.
* Copy and paste that information in your next post along with a fresh hijackthis log

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#5 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 29 August 2006 - 10:51 AM

Well...First of all,I didn't find those files:
C:\WINDOWS\system\smss.exe
C:\WINDOWS\system32\nvsvcd.exe

I deleted all the other stuff and the contents of subfolders too, even the subfolders themselves, exept the temp folders, as you told me, right? But I didn't delete them from the bin...Maybe it sounds stupid, but you didn't told me that and I don't do things you don't told me to do because I'm not so fond on computer!

Here they are...Kaspersky's scan:

Tuesday, August 29, 2006 6:40:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/08/2006
Kaspersky Anti-Virus database records: 219135


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 31702
Number of viruses found 13
Number of infected objects 50 / 0
Number of suspicious objects 0
Duration of the scan process 00:34:47

Infected Object Name Virus Name Last Action
C:\Appoggio\install.exe Infected: Trojan.Win32.Pakes skipped

C:\Appoggio\setup.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\Documents and Settings\Giorgia\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Giorgia\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-504ca978-1f3bb466.zip/Counter.class Infected: Trojan.Java.Femad skipped

C:\Documents and Settings\Giorgia\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-504ca978-1f3bb466.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped

C:\Documents and Settings\Giorgia\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-504ca978-1f3bb466.zip/web.exe Infected: Trojan-Downloader.Win32.Agent.xz skipped

C:\Documents and Settings\Giorgia\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-504ca978-1f3bb466.zip/Worker.class Infected: Trojan.Java.Femad skipped

C:\Documents and Settings\Giorgia\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-504ca978-1f3bb466.zip/Xeyond.class Infected: Trojan.Java.Femad skipped

C:\Documents and Settings\Giorgia\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-504ca978-1f3bb466.zip ZIP: infected - 5 skipped

C:\Documents and Settings\Giorgia\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Giorgia\Impostazioni locali\Cronologia\History.IE5\MSHist012006082920060830\index.dat Object is locked skipped

C:\Documents and Settings\Giorgia\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Giorgia\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Giorgia\Impostazioni locali\Temp\Perflib_Perfdata_368.dat Object is locked skipped

C:\Documents and Settings\Giorgia\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Giorgia\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Giorgia\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\Giorgia\UserData\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Programmi\Alice ti aiuta\log\mpbtn.log Object is locked skipped

C:\Programmi\File comuni\System\JFh.exe Object is locked skipped

C:\Programmi\File comuni\System\jVzIK.exe Object is locked skipped

C:\Programmi\Yahoo!\Messenger\logs\billing_Giorgia.log Object is locked skipped

C:\Programmi\Yahoo!\Messenger\logs\client_Giorgia.log Object is locked skipped

C:\Programmi\Yahoo!\Messenger\logs\network_Giorgia.log Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP140\A0016422.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP142\A0016519.exe Infected: Trojan.Win32.StartPage.ahm skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP144\A0016719.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP144\A0016725.exe Infected: Trojan-Proxy.Win32.Horst.aj skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP144\A0016741.exe Infected: Trojan-Proxy.Win32.Horst.aj skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP144\A0016747.exe Infected: Trojan-Proxy.Win32.Horst.aj skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP144\A0016753.exe Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016772.exe Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016781.exe Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016787.exe Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016795.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016802.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016808.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016843.exe Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016883.exe Infected: not-a-virus:Dialer.Win32.Agent.d skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145\A0016888.exe Infected: not-a-virus:Dialer.Win32.Agent.d skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP146\A0017016.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP147\A0017156.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017171.exe Infected: Trojan.Win32.LowZones.dm skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017172.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017177.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017244.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017248.dll Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017256.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017265.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017316.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017326.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017333.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017341.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017348.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017357.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017364.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017370.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017378.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017388.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017394.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017402.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017408.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017417.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017423.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017431.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017432.exe Infected: Backdoor.Win32.Medbot.bb skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017440.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017447.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017455.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017456.exe Infected: Backdoor.Win32.Medbot.bb skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017464.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017472.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017490.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017499.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017508.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017510.exe Infected: Backdoor.Win32.Medbot.bb skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017518.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017525.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017526.dll Infected: Trojan.Win32.Agent.vp skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017532.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017535.dll Infected: Trojan.Win32.Agent.vp skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017544.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017548.dll Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017555.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017558.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017565.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017571.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017572.dll Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017578.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017580.dll Infected: Trojan.Win32.Small.jf skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017589.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017590.dll Infected: Trojan.Win32.Small.jf skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017597.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017600.dll Infected: Trojan.Win32.Small.jf skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017606.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017608.dll Infected: Trojan.Win32.Agent.vp skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017609.exe Infected: Trojan.Win32.Agent.xu skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017617.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017619.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0017627.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0018628.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0018629.dll Infected: Trojan.Win32.Agent.vp skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0019626.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0019632.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0019635.dll Infected: Trojan.Win32.Agent.vp skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0020632.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0020633.dll Infected: Trojan.Win32.Agent.vp skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0020634.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0020635.exe Infected: Trojan.Win32.LowZones.dt skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0020636.exe Infected: Trojan.Win32.LowZones.dm skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0020638.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0021632.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0021633.dll Infected: Trojan.Win32.Agent.vp skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0022632.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0023631.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0024632.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0025631.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0025636.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0025644.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0025646.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0026643.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0027650.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0027651.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP148\A0027657.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0028659.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0028670.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0029659.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0030659.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0030660.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0030661.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0030669.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0031670.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0032670.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0033668.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0033680.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0033683.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0033689.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0033694.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0034691.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0034699.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0034707.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0034728.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0035730.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0036728.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0037729.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0038728.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0039730.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0040730.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0040749.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0041750.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0042750.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0042758.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0042776.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0042787.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0042806.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0043802.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\A0043806.exe Object is locked skipped

C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP149\change.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\system32\bikini.exe Infected: Trojan.Win32.LowZones.dt skipped

C:\WINDOWS\system32\cbaa.dll Infected: Trojan.Win32.Agent.vp skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.


and a fresh logfile:

Logfile of HijackThis v1.99.1
Scan saved at 18.50.44, on 29/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe

#6 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 29 August 2006 - 10:34 PM

Can you open the Windows Control Panel
Double click to open the Java Icon
Under the General tab>>Click Delete Files
Leave all 3 selections checked then click OK
When done exit out

Download The Avenger.zip by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop

Copy ALL the text contained in blue below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard


files to delete:
C:\Appoggio\install.exe
C:\Appoggio\setup.exe
C:\WINDOWS\system\smss.exe
C:\WINDOWS\system32\nvsvcd.exe
C:\WINDOWS\system32\bikini.exe
C:\WINDOWS\system32\cbaa.dll



Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Can you check and set the following
1. Open Microsoft Internet Explorer.
2. Click Tools > Internet Options.
3. Click the Security tab.
4. Click the Internet Icon.
5. Click Default Level.
6. Click the Local Intranet Icon.
7. Click Sites.
8. Remove any Web sites from the list that you do not recognise or do not trust.
9. Click Default Level.
10. Click the Trusted sites Icon.
11. Click on Sites.
12. Remove any Web sites from the list that you do not recognise or do not trust.
13. Click Default Level.
14. Click the Restricted sites Icon.
15. Click Default Level on lower right corner of the window.
16. Click OK on lower right corner of the window.

I see 2 files in the Kaspersky's log I do not recognize
Can you do the following for me
Navigate to each of this files below in bold
C:\Programmi\File comuni\System\JFh.exe
C:\Programmi\File comuni\System\jVzIK.exe

Right click on each and select properties
Can you give me any info on them?
Creation date or what there related too?

Kaspersky's wasn't able to scan those 2 files
Can you possibly try and scan them at either of the following links
Go to either of these links>>either below that isn't too busy
http://www.virustota...h/index_en.html
OR
http://virusscan.jotti.org/
OR
Virus.org

Use the browse button and navigate to the file on your harddrive
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Is your version of Ewido still capable of updating and removing malware?

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#7 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 30 August 2006 - 05:59 AM

Here I am...I did everything...

First of all, I didn't find this file C:\Programmi\File comuni\System\jVzIK.exe, but I found another that seemed souspicious: C:\Programmi\File comuni\System\Lip.exe (it changed name while I was checking it,so I decided to scan it too) and I scanned C:\Programmi\File comuni\System\JFh.exe.

Those are the results...
1°site you told me:

STATUS: FINISHEDComplete scanning result of "JFh.exe", received in VirusTotal at 08.30.2006, 13:38:25 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709


STATUS: FINISHEDComplete scanning result of "LIp.exe", received in VirusTotal at 08.30.2006, 13:43:43 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709


2°site you told me:

for both files it says...The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

3°site you told me:

File: JFh.exe
SHA-1 Digest: da39a3ee5e6b4b0d3255bfef95601890afd80709
Packers: Unknown
Status: Potentially Clean


Scanner Scanner Version Result Scan Time
F-PROT 4.6.5 Clean 0.422458 secs
Sophos Sweep 4.05.0 Clean 2.79786 secs



File: LIp.exe
SHA-1 Digest: da39a3ee5e6b4b0d3255bfef95601890afd80709
Packers: Unknown
Status: Potentially Clean


Scanner Scanner Version Result Scan Time
F-PROT 4.6.5 Clean 0.412286 secs
Sophos Sweep 4.05.0 Clean 2.72229 secs


that's all.
Thanks for now

#8 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 30 August 2006 - 07:21 AM

Sorry, I forgot to ask for the following

Can I see a new Hijackthis log and also the log from Avenger located here>>C:\Avenger.txt

Also, I had you install Ewido a while back, is it still able to update?
I'm only enquiring about this, because, I'm not a 100 percent positive, but I believe that the newer version of Ewido has finished translation in Italian now, although it's not posted at the website

Can you also do the following
Access your add/remove programs and remove your version of Ewido
or remove from the Start>>All programs menu
Reboot the computer afterwards

Next: Let's have you try the newest version of Ewido
==Download, install, and update Ewido anti-spyware
Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
    Don't use your computer while running the scan, let it complete
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Reboot the computer afterwards

Back in Windows
Also post the full report from Ewido's please

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#9 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 30 August 2006 - 11:47 AM

Here thy are...

Fresh logfile:

Logfile of HijackThis v1.99.1
Scan saved at 19.44.39, on 30/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe


Last Avenger logfile:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\amgkoinm

*******************

Script file located at: \??\C:\Program Files\dwubfmnj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Appoggio\install.exe deleted successfully.
File C:\Appoggio\setup.exe deleted successfully.


File C:\WINDOWS\system\smss.exe not found!
Deletion of file C:\WINDOWS\system\smss.exe failed!

Could not process line:
C:\WINDOWS\system\smss.exe
Status: 0xc0000034


And fresh Ewido scan logfile:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 19.36.10 30/08/2006

+ Scan result:



C:\WINDOWS\system32:twaa.dll -> Downloader.Small.azk : Cleaned with backup (quarantined).
C:\Documents and Settings\Giorgia\Cookies\giorgia@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\avenger\backup.zip/avenger/bikini.exe -> Trojan.LowZones.dt : Cleaned with backup (quarantined).


::Report end

Thank you!

#10 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 30 August 2006 - 07:46 PM

I'm just a bit worried, because you may not have copied ALL the info in blue
I don't see know reference too
C:\WINDOWS\system32\cbaa.dll OR C:\WINDOWS\system32\nvsvcd.exe
I need you to run Avenger again and ensure you post the Whole log from it

Can you do the following

Copy ALL the text contained in blue below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard

files to delete:
C:\WINDOWS\system32\nvsvcd.exe
C:\WINDOWS\system32\cbaa.dll


Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Post the new log from Avenger, located here>>C:\Avenger.txt
Also post one last hijackthis log and let me know how things are running please

Do you still have Ad-Aware SE Personal 1.06 installed?
Do you use Spybot 1.4?

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#11 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 31 August 2006 - 01:04 AM

I did what you told me many and many times,but it always says that the two files are not found...I post you my last avenger.txt

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fqfrivhw

*******************

Script file located at: \??\C:\gwaiwuev.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\nvsvcd.exe not found!
Deletion of file C:\WINDOWS\system32\nvsvcd.exe failed!

Could not process line:
C:\WINDOWS\system32\nvsvcd.exe
Status: 0xc0000034



File C:\WINDOWS\system32\cbaa.dll not found!
Deletion of file C:\WINDOWS\system32\cbaa.dll failed!

Could not process line:
C:\WINDOWS\system32\cbaa.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Fresh new logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9.02.35, on 31/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe

Well...I have installed Ad-Aware SE Personal and Spybot Search & Destroy

#12 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 31 August 2006 - 04:39 AM

Hi...here I am again...the file JFh.exe still remains the same,but it contains 0 bytes so i deleted it...I don't know if it's wrong or right,but F-Prot Antivirus said it was infected and the other file infected I told you (the one which constantly changes name...today is vTR.exe) can't be deleted...so says killer box!

I don't know if my Ad-Aware and Spybot are the versions you told me, but, in any case, I will download the new versions!

thanks

#13 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 31 August 2006 - 07:18 AM

Can I see a couple logs please

please download About:Buster from here:
http://www.malwareby...AboutBuster.zip
Unzip it to the desktop
Double click on About:Buster and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

Reboot afterwards
Download and save too desktop
F-Secure Blacklight(blbeta.exe)

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log". Please post that log along with the log from aboutbuster

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#14 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 31 August 2006 - 11:01 AM

Here Ab logfile after two scan:

AboutBuster 6.05
Scan started on [31/08/2006] at [18.34.12]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 18.35.44


AboutBuster 6.05
Scan started on [31/08/2006] at [18.37.11]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 18.38.37


Unfortunately after a double click on blbeta.exe. appears a box with this inscriptios:

F-Secure Blacklight could not acquire necessary privileges
(SeDebugPrivilege)

-Your computer settings may prevent acquiring these privileges
-A malicious program might have disabled these privileges

....I don't know what's up...

#15 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 31 August 2006 - 06:06 PM

Can you try the following please, let's see if this will help

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Back in Windows

Post the log from Vundofix located here>>C:\Vundofix.txt

Also try and run Blacklight again and post the log

If you still can't get blacklight to run
Try the following
Download SeDebug-Restore.exe
Double click to run the tool
Allow to reboot the computer or reboot

Try Blacklight again

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#16 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 01 September 2006 - 04:56 AM

I downloaded Vundofix,but it doesn't ask me "Run VundoFix as a task" and I didn't see any message about re-opening or stuff like that...Vundofix simply open a box with two bottons "scan for Vundo" and "remove Vundo"...Anyway I scanned and I post you the logfile:

VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 11.45.39 01/09/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

And so it stopped...Nothing more!
I tried to run blbeta.exe, but it didn't start,then I run SeDebug Restore.exe,I reboot PC,I re-run blbeta,but it told me the same things it told me yesterday!
Oh...Real Time Protector,each time I reboot my PC told me about a Trojan in C:\Programmi\File Comuni\System...and an exe file that always changes name,as I told you...
That's all
Thanks for now

#17 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 01 September 2006 - 07:18 AM

Let's try some different tools
I've uploaded a file
From the bottom of this reply box, can you download and save then unzip to it's own folder
NTRights.zip
Open the folder and
Double click on the Debug.bat file to run it, follow any prompts it asks.
REBOOT
Doubleclick the Debug.bat again after reboot.
It will create a log.
If the log says:
"Granting SeDebugPrivilege to Administrators ... successful"
You should be ok

After the following
I would temporarily disable F-Secures realtime protection
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
NEXT:
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

I need to see the following
1. The report you saved earlier with Dr.Web
2. The log from Combofix
3. Try and run Blacklight one more time and post the log if you can get it to run

Is your user profile on XP set as Administrator?

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#18 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 02 September 2006 - 06:18 AM

Hi...
Here it is DrWeb logfile:

MCCWrapper.dll;C:\Programmi\Common Files\Motive;Probably DLOADER.Trojan;Incurable.Moved.;
A0016725.exe;C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP144;Probably BINARYRES;Incurable.Moved.;
A0016795.exe;C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145;Probably BINARYRES;Incurable.Moved.;
A0016802.exe;C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145;Probably BINARYRES;Incurable.Moved.;
A0016808.exe;C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}\RP145;Probably BINARYRES;Incurable.Moved.;

...and Combofix logfile:

Giorgia - 06-09-02 13.32.55,49
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Giorgia\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-02 to 2006-09-02 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-02 13:16 -------- d-------- C:\Programmi\ewido anti-spyware 4.0
2006-09-01 12:40 -------- d-------- C:\Programmi\CleanUp!
2006-08-30 19:39 -------- d-------- C:\Programmi\ewido anti-malware
2006-08-14 12:57 -------- d-------- C:\Programmi\SpywareBlaster


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"F-StopW"="C:\\Programmi\\FSI\\F-Prot\\F-StopW.EXE"
"FRISK FP-Scheduler"="C:\\Programmi\\FSI\\F-Prot\\F-Sched.exe"
"EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"MsgCenterExe"="\"C:\\Programmi\\File comuni\\Real\\Update_OB\\RealOneMessageCenter.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"E-nrgyPlus"="C:\\Programmi\\E-nrgyPlus\\E-nrgyPlus.exe"
"QuickTime Task"="\"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Programmi\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background"
"PcSync"="C:\\Programmi\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"Yahoo! Pager"="\"C:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.htmb.it/m...ags/russia.gif"
"SubscribedURL"="http://www.htmb.it/m...ags/russia.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,14,03,00,00,1d,01,00,00,71,00,00,00,2d,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,41,02,09,48,e7,77,88,32,e6,77,ff,ff,ff,ff,de,60,\
e5,77,c0,89,21,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis entries set to ignore ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe
O4 - HKLM\..\Run: [EnergyPlugIn] C:\Program Files\EnergyPlugIn\EnergyPlugIn.exe
O4 - HKLM\..\Run: [EnergyPlugIn] C:\Programmi\EnergyPlugIn\EnergyPlugIn.exe
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Programmi\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe
O4 - HKLM\..\Run: [SHA256] C:\Programmi\SHA256\secure.exe
O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exe
O4 - HKLM\..\Run: [WIZZ] C:\Programmi\WIZZ\dazzler.exe
O15 - Trusted Zone: *.energy-factor.com
O15 - Trusted Zone: *.hardcorefantasyland.com
O15 - Trusted Zone: *.hardfootballbabes.com
O1 - Hosts: 200.73.174.154 deposito.hostance.net

Completion time: 02/09/2006 13:35:57.73
ComboFix.txt


I don't know if my profile is sets as Administrator...I know that each time I start my PC I click on an icon called with my name.
Furthermore when I rebooted my computer in sefe mode (to work on it as you told me) it let me choose between ME(my name) and Administrator,so I think that in the normal way I use PC is not set on Administrator...But don't trust,I'm not fond on technology... :)
Thanks

oh...sorry...I forgot to tell you that Blacklight still does't work!
Thanks

oh...sorry...I forgot to tell you that Blacklight still does't work!
Thanks

#19 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,192 posts

Posted 02 September 2006 - 10:26 AM

Can you do the following, then I want to try one more set of fixes
I would like to see a couple logs from Hijackthis
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Also, close then reopen Hijackhthis>>Open MISC TOOLS SECTION>>Open HOSTS FILE MANAGER
Click the OPEN IN NOTEPAD button
A text file will open, copy>>Paste back here the whole contents please

One last log
Create a .bat file for me
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as export.bat

Save this file on the desktop

regedit /e Export.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis"
Double click on export.bat, a text file will open, copy>>paste back here the contents please

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#20 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 02 September 2006 - 10:59 AM

Uninstall list from Hijack:

Access Gateway USB
Ad-Aware SE Personal
Adobe Download Manager 1.2 (solo rimozione)
Adobe Photoshop 7.0
Adobe Reader 7.0.8 - Italiano
Aggiornamento rapido di DirectX 9 - KB839643
Aggiornamento rapido di Windows Media Player [Per ulteriori informazioni vedere KB837272]
Aggiornamento rapido di Windows Media Player [Per ulteriori informazioni vedere Q828026]
Aggiornamento rapido di Windows XP (SP2) Q322011
Aggiornamento rapido di Windows XP (SP2) Q327979
Aggiornamento rapido di Windows XP (SP2) Q814995
Aggiornamento rapido di Windows XP (SP2) Q819696
Aggiornamento rapido per Windows XP - KB823182
Aggiornamento rapido per Windows XP - KB824105
Aggiornamento rapido per Windows XP - KB824141
Aggiornamento rapido per Windows XP - KB825119
Aggiornamento rapido per Windows XP - KB826939
Aggiornamento rapido per Windows XP - KB826942
Aggiornamento rapido per Windows XP - KB828035
Aggiornamento rapido per Windows XP - KB828741
Aggiornamento rapido per Windows XP - KB833998
Aggiornamento rapido per Windows XP - KB835732
Aggiornamento rapido per Windows XP - KB837001
Aggiornamento rapido per Windows XP - KB839643
Aggiornamento rapido per Windows XP - KB840374
Aggiornamento rapido Windows XP - KB820291
Aggiornamento rapido Windows XP - KB821253
Aggiornamento rapido Windows XP - KB822603
Alice ti aiuta
CleanUp!
C-Media WDM Audio Driver
Collins COBUILD on CD-ROM
EPSON PhotoQuicker3.2
Estensione HighMAT per Masterizzazione guidata CD di Microsoft Windows XP
F-Prot for Windows
Google Toolbar for Internet Explorer
haka2 Screen Saver
HijackThis 1.99.1
Installazione Guidata Alice ADSL
Installazione Guidata di Alice
Internet Explorer Q832894
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
LimeWire 4.10.3
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Italian Language Pack
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Disco 2
Microsoft Office 2000 SR-1 Premium
Microsoft PhotoDraw 2000 versione 2
Microsoft Windows Journal Viewer
MSN Toolbar
My Search Bar
Nokia Connectivity Cable Driver
Nokia PC Suite
Outlook Express Q837009
Pacchetto funzionalitą di rete avanzate per Windows XP
Panda ActiveScan
Software per stampante EPSON
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Sygate Personal Firewall Pro
Windows Media Format Runtime
Windows Media Player 10
WinZip
Yahoo! Messenger

Hosts list from Hijack:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 01.SHAREDSOURCE.ORG
127.0.0.1 03.SHAREDSOURCE.ORG
127.0.0.1 05.SHAREDSOURCE.ORG
127.0.0.1 05P.COM
127.0.0.1 09.SHAREDSOURCE.ORG
127.0.0.1 093QPEUQPMZ6EBFA.COM
127.0.0.1 0TEXKAX7C6HZUIDK.COM
127.0.0.1 0XSEARCH.COM
127.0.0.1 17.SHAREDSOURCE.ORG
127.0.0.1 18.SHAREDSOURCE.ORG
127.0.0.1 19.SHAREDSOURCE.ORG
127.0.0.1 1ST-SEX.US
127.0.0.1 20.SHAREDSOURCE.ORG
127.0.0.1 2003.YAUU.NET
127.0.0.1 22.SHAREDSOURCE.ORG
127.0.0.1 24START.COM
127.0.0.1 2AWM.COM
127.0.0.1 4NETMEDIA.COM
127.0.0.1 4PHPSCRIPTS.COM
127.0.0.1 540.FILOST.COM
127.0.0.1 540.SCMG.NET
127.0.0.1 7ADPOWER.COM
127.0.0.1 80PICTURES.COM
127.0.0.1 A0E6.FFX23WL.NL
127.0.0.1 ACCESO.MASMINUTOS.COM
127.0.0.1 ACCESS.GAMESPLAYGROUND.COM
127.0.0.1 ACCESS.JUICYTEENPORN.COM
127.0.0.1 ACCESS.RAPID-PASS.NET
127.0.0.1 ACCESSPLUGIN.COM
127.0.0.1 ADDICTIVETECHNOLOGIES.COM
127.0.0.1 ADDICTIVETECHNOLOGIES.NET
127.0.0.1 ADMIN2CASH.BIZ
127.0.0.1 ADVCASH.BIZ
127.0.0.1 ADVNT.COM
127.0.0.1 ADVNT01.COM
127.0.0.1 ADVNT02.COM
127.0.0.1 ADVNT03.COM
127.0.0.1 ADVNT04.COM
127.0.0.1 ADVNT05.COM
127.0.0.1 AKAMAI.DOWNLOADV3.COM
127.0.0.1 ALL4INTERNET.COM
127.0.0.1 ALLCONTENTS.BIZ
127.0.0.1 API.AVENO.NET
127.0.0.1 ARCHIVIOHARD.COM
127.0.0.1 ARCHIVIOSEX.NET
127.0.0.1 AWMDABEST.COM
127.0.0.1 BANNERS.NOCREDITCARD.COM
127.0.0.1 BANNERS.NOCREDITCARDGAY.COM
127.0.0.1 BANNERS.SPONSORADULTO.COM
127.0.0.1 BANNERS.VIZIT.US
127.0.0.1 BETTERSEARCH.BIZ
127.0.0.1 BLAZEFIND.COM
127.0.0.1 C4TDOWNLOAD.COM
127.0.0.1 CAMZ.TINTEL.NL
127.0.0.1 CASH-EXPLORER.COM
127.0.0.1 CAUSAGAME.COM
127.0.0.1 C.MICROSOFT.COM
127.0.0.1 CC.SEX-EXPLORER.COM
127.0.0.1 CLICKSPRING.NET
127.0.0.1 CMI.IBILL.COM
127.0.0.1 COMMUNITY.DERBIZ.COM
127.0.0.1 COMMUNITY.GLOBALEACCESS.COM
127.0.0.1 COMMUNITY.SURFYA.COM
127.0.0.1 CONNECT.ANDLOTSMORE.COM
127.0.0.1 CONTENT.NETVENDA.COM
127.0.0.1 CONTENT2.NETVENDA.COM
127.0.0.1 CONTENT-LOADER.COM
127.0.0.1 CONTENTS.SEX-EXPLORER.COM
127.0.0.1 CRAZYWINNINGS.COM
127.0.0.1 CROSSKIRK.COM
127.0.0.1 CSEX.COM
127.0.0.1 D.CRACKEDEARTH.COM
127.0.0.1 DAPSOL.COM
127.0.0.1 DD.TIBSYSTEMS.COM
127.0.0.1 DEPOSITO.HOSTANCE.NET
127.0.0.1 DERBIZ.COM
127.0.0.1 DEVFAST.MEDIACHARGER.COM
127.0.0.1 DIALER.MEDIANED.NL
127.0.0.1 DIALERACCESS.COM
127.0.0.1 DIALERADMIN.COM
127.0.0.1 DIALERCLUB.COM
127.0.0.1 DIALER-SHOP.COM
127.0.0.1 DIALLERPLUGIN.COM
127.0.0.1 DIALOFF.COM
127.0.0.1 DIALXS.COM
127.0.0.1 DIALXS.NL
127.0.0.1 DOWNLOAD.MEDIACHARGER.COM
127.0.0.1 DOWNLOAD.SPYNET.COM
127.0.0.1 DOWNLOAD.TIBSYSTEMS.COM
127.0.0.1 EBONY.ANDLOTSMORE.COM
127.0.0.1 EBONYPLUGIN.COM
127.0.0.1 EM.AVENO.NET
127.0.0.1 ENTRYPLUGIN.COM
127.0.0.1 EPEN.EU.COM
127.0.0.1 F1ORGANIZER.COM
127.0.0.1 FAQ.MAINPEAN.DE
127.0.0.1 FAST.MEDIACHARGER.COM
127.0.0.1 FLAT.TRAFFICADVANCE.NET
127.0.0.1 FLINGSTONE.COM
127.0.0.1 FR4-NETWORK.NOCREDITCARD.COM
127.0.0.1 FR4-SCRIPTS.DOWNLOADV3.COM
127.0.0.1 FUN.ZIPZAPPROMOS.COM
127.0.0.1 GAMES.ANDLOTSMORE.COM
127.0.0.1 GAMING.GAMESPLAYGROUND.COM
127.0.0.1 GLOBAL-NETCOM.DE
127.0.0.1 GNURA.COM
127.0.0.1 GO.SECURECASTING.COM
127.0.0.1 GREAT.ANDLOTSMORE.COM
127.0.0.1 HELP.RAPID-PASS.NET
127.0.0.1 HELP.STARDIALER.DE
127.0.0.1 HIGHDIALER.COM
127.0.0.1 HOSTANCE.NET
127.0.0.1 HPINTERMEDIA.TINTEL.NL
127.0.0.1 HPWIS.COM
127.0.0.1 IFRAME.BIZ
127.0.0.1 IMAGES.TIBSYSTEMS.COM
127.0.0.1 INSTALL.GLOBAL-NETCOM.DE
127.0.0.1 INSTALL.STARDIALER.DE
127.0.0.1 INSTANT-ACCESS.NOCREDITCARD.COM
127.0.0.1 INSTANT-ACCESS.NOCREDITCARD.NET
127.0.0.1 INSTANT-ACCESS.NOCREDITCARDGAY.COM
127.0.0.1 INSTANT-ACCESS.SEX-EXPLORER.COM
127.0.0.1 IP.SPACASH.COM
127.0.0.1 IP.SPONSORADULTO.COM
127.0.0.1 IP.SPONSORIX.COM
127.0.0.1 ISPDIALER.COM
127.0.0.1 JOIN.POPCORN.NET
127.0.0.1 LEGAL.ELECTRONIC-GROUP.COM
127.0.0.1 LIBERECO.NET
127.0.0.1 LINKAUTOMATICI.COM
127.0.0.1 LIVE.SEX-EXPLORER.COM
127.0.0.1 LIVES.SEX-EXPLORER.COM
127.0.0.1 LOGOPLUGIN.COM
127.0.0.1 MASTER69.BIZ
127.0.0.1 MASTER70.BIZ
127.0.0.1 MASTER71.BIZ
127.0.0.1 MASTERDIALER.DE
127.0.0.1 MCDIAL.BIZ
127.0.0.1 MEDIA.RAPID-PASS.NET
127.0.0.1 MEDIACHARGER.COM
127.0.0.1 MEDIA-MOTOR.NET
127.0.0.1 MEGAPORNIX.COM
127.0.0.1 MEMBERS.JUICYTEENPORN.COM
127.0.0.1 MEMBERS.PRIVATEPORNCOLLECTION.COM
127.0.0.1 MEMBERS.SWIMSUITNETWORK.COM
127.0.0.1 MEMBERSPLAYGROUND.COM
127.0.0.1 MEMBERSPLUGIN.COM
127.0.0.1 MIRRORS.EGWN.NET
127.0.0.1 MOVIE-BROWSER.COM
127.0.0.1 MOVIEPLUGIN.COM
127.0.0.1 MP3.POPCORN.NET
127.0.0.1 MT-DOWNLOAD.COM
127.0.0.1 MUSICMATCH.COM
127.0.0.1 MY-INTERNET.INFO
127.0.0.1 MY-TEENSEX.COM
127.0.0.1 NCC.SEX-EXPLORER.COM
127.0.0.1 NET-NUCLEUS.COM
127.0.0.1 NETPOND.COM
127.0.0.1 NETVENDA.COM
127.0.0.1 NETWORK.NOCREDITCARD.COM
127.0.0.1 NETWORK.NOCREDITCARD.NET
127.0.0.1 NETWORK.NOCREDITCARDGAY.COM
127.0.0.1 NETWORK.STRIPPLAYER.COM
127.0.0.1 NETWORK.STRIP-PLAYER.COM
127.0.0.1 NETWORK.VIZIT.US
127.0.0.1 NEW.NET
127.0.0.1 NEWIFRAME.BIZ
127.0.0.1 NL.BROWSERUPDATE.CO.UK
127.0.0.1 NOCREDITCARD.COM
127.0.0.1 NOCREDITCARD.NET
127.0.0.1 NY.CONTENTMATCH.NET
127.0.0.1 OCX2.ADVNT01.COM
127.0.0.1 OCX3.ADVNT01.COM
127.0.0.1 OVERPRO.COM
127.0.0.1 P1.TIBSYSTEMS.COM
127.0.0.1 PENSIEROVIRTUALE.COM
127.0.0.1 PICS.AVENO.NET
127.0.0.1 PINKBOX.PL
127.0.0.1 PIZDATO.BIZ
127.0.0.1 PLUG.ADVCASH.BIZ
127.0.0.1 PLUGIN.EURO-INFOMEDIA.COM
127.0.0.1 PLUGINACCESS.COM
127.0.0.1 POPCORN.NET
127.0.0.1 POPUPPERS.COM
127.0.0.1 PREVIEW.DIALER411.COM
127.0.0.1 PRIVATE-DIALER.BIZ
127.0.0.1 PRIVATE-IFRAME.BIZ
127.0.0.1 PRIVATEPORNCOLLECTION.COM
127.0.0.1 PRIVATE-VIEWING.COM
127.0.0.1 PROMO.EPASS-KEY.COM
127.0.0.1 PROMO.ZIPZAPPROMOS.COM
127.0.0.1 QUICKPLUGIN.COM
127.0.0.1 REALAREA.BIZ
127.0.0.1 REAL-EUROS.COM
127.0.0.1 REDFUNNY.COM
127.0.0.1 REDIRECT.EPASS-KEY.COM
127.0.0.1 RESELLERS.TIBSYSTEMS.COM
127.0.0.1 REVENUE.NET
127.0.0.1 SA.SECURE-FIREWALL.COM
127.0.0.1 SCOOBIDOO.COM
127.0.0.1 SCRIPTS.DOWNLOADV3.COM
127.0.0.1 SEARCHBARCASH.COM
127.0.0.1 SEARCHMIRACLE.COM
127.0.0.1 SECURE.GOODTHINXX.COM
127.0.0.1 SECURE.IBILL.COM
127.0.0.1 SERVER02.US2.EGWN.NET
127.0.0.1 SERVICE.SPYNET.COM
127.0.0.1 SEXYPLUGIN.COM
127.0.0.1 SFONDISSIMI.NET
127.0.0.1 SFONDITALIA.BIZ
127.0.0.1 SG1.TIBSYSTEMS.COM
127.0.0.1 SGRUNT.BIZ
127.0.0.1 SKOOBIDOO.COM
127.0.0.1 SKYMASTERS.BIZ
127.0.0.1 SLAWSEARCH.COM
127.0.0.1 SLOTCH.COM
127.0.0.1 SOFTWARE.GLOBAL-NETCOM.DE
127.0.0.1 SP2[CENSORED]ED.BIZ
127.0.0.1 SP2ADMIN.BIZ
127.0.0.1 SP2F**KED.BIZ
127.0.0.1 SPONSORADULTO.COM
127.0.0.1 SQL.YAUU.NET
127.0.0.1 STARDIALER.DE
127.0.0.1 STAT.TRAFFICADVANCE.NET
127.0.0.1 STATIC.CONTENTS.SEX-EXPLORER.COM
127.0.0.1 STATIC.SEX-EXPLORER.COM
127.0.0.1 STATS.TIBSYSTEMS.COM
127.0.0.1 STREAM.PUSSYHAREM.COM
127.0.0.1 STRIPPLAYER.COM
127.0.0.1 SUPPORT.ELECTRONIC-GROUP.COM
127.0.0.1 SURFYA.COM
127.0.0.1 TEMPURI.ORG
127.0.0.1 TIBSYSTEMS.COM
127.0.0.1 TOPCONVERTING.COM
127.0.0.1 TRADE.GLOBALEACCESS.COM
127.0.0.1 TRAFFIC2CASH.BIZ
127.0.0.1 U14.ESET.COM
127.0.0.1 UPDATE.DOWNLOADV3.COM
127.0.0.1 UPDATE.MICROSOFT.COM
127.0.0.1 USA-NETWORK.NOCREDITCARD.COM
127.0.0.1 USA-NETWORK.NOCREDITCARDGAY.COM
127.0.0.1 USA-NETWORK.VIDEO-PARTY.COM
127.0.0.1 USA-SCRIPTS.DOWNLOADV3.COM
127.0.0.1 US-SG1.TIBSYSTEMS.COM
127.0.0.1 VIDEOCHAT46.COM
127.0.0.1 VIDEOCHATGIRLS.NET
127.0.0.1 VOICECALL.MAINPEAN.DE
127.0.0.1 VSE-MOE.BIZ
127.0.0.1 WEBCAM.ANDLOTSMORE.COM
127.0.0.1 WEBMASTER.NOCREDITCARD.COM
127.0.0.1 WEBMASTER.STRIPPLAYER.COM
127.0.0.1 WINDUPDATES.COM
127.0.0.1 WWW.02KMKY1XGZBMSDFX.COM
127.0.0.1 WWW.0TEXKAX7C6HZUIDK.COM
127.0.0.1 WWW.0XSEARCH.COM
127.0.0.1 WWW.123TICKET.COM
127.0.0.1 WWW.180SEARCHASSISTANT.COM
127.0.0.1 WWW.1ADEXCHANGE.COM
127.0.0.1 WWW.24START.COM
127.0.0.1 WWW.2AWM.COM
127.0.0.1 WWW.4NETMEDIA.COM
127.0.0.1 WWW.68737075.COM
127.0.0.1 WWW.7ADPOWER.COM
127.0.0.1 WWW.7DAYS.WS
127.0.0.1 WWW.A99B.COM
127.0.0.1 WWW.ACCERISPARTNERS.COM
127.0.0.1 WWW.ACCESOPLUGIN.COM
127.0.0.1 WWW.ACCESSOVELOCE.COM
127.0.0.1 WWW.ACCESSPLUGIN.COM
127.0.0.1 WWW.ACONTI.NET
127.0.0.1 WWW.ADULTOWEB.COM
127.0.0.1 WWW.ADVNT.COM
127.0.0.1 WWW.ADVNT01.COM
127.0.0.1 WWW.ADVNT02.COM
127.0.0.1 WWW.ANDLOTSMORE.COM
127.0.0.1 WWW.ARCHIVIO-FILM.COM
127.0.0.1 WWW.ARCHIVIOHARD.COM
127.0.0.1 WWW.ARCHIVIOSEX.COM
127.0.0.1 WWW.ARCHIVIOSEX.NET
127.0.0.1 WWW.AREASEX.BIZ
127.0.0.1 WWW.BELLEINCAM.NET
127.0.0.1 WWW.BLOISCOM.NET
127.0.0.1 WWW.BOCATA.NET
127.0.0.1 WWW.BROWSERUPDATE.CO.UK
127.0.0.1 WWW.CASH-EXPLORER.COM
127.0.0.1 WWW.CBIT-SOLUTIONS.COM
127.0.0.1 WWW.CHARGEMELATER.COM
127.0.0.1 WWW.CIUCCIA-CAZZI.BIZ
127.0.0.1 WWW.COLDTHUMBS.COM
127.0.0.1 WWW.CONTENIDOSPC.COM
127.0.0.1 WWW.CONTENT-LOADER.COM
127.0.0.1 WWW.COULOMB.CO.UK
127.0.0.1 WWW.CRACKEDEARTH.COM
127.0.0.1 WWW.CRONTEL.COM
127.0.0.1 WWW.CSEX.COM
127.0.0.1 WWW.CYBERZINE.COM
127.0.0.1 WWW.CZECH-TEENS.COM
127.0.0.1 WWW.DATE.SE
127.0.0.1 WWW.DESKTOPLIFE.NET
127.0.0.1 WWW.DIALERADMIN.COM
127.0.0.1 WWW.DIALERDREAMS.COM
127.0.0.1 WWW.DIALERFACTORY.COM
127.0.0.1 WWW.DIALERPLATFORM.COM
127.0.0.1 WWW.DIALERS2K.COM
127.0.0.1 WWW.DIALER-SHOP.COM
127.0.0.1 WWW.DIALERZONA.COM
127.0.0.1 WWW.DIALLERPLUGIN.COM
127.0.0.1 WWW.DIKAI.COM
127.0.0.1 WWW.DINEROTICA.COM
127.0.0.1 WWW.EBONYPLUGIN.COM
127.0.0.1 WWW.E-GROUP.ORG
127.0.0.1 WWW.EINGANG69.DE
127.0.0.1 WWW.ELECTRONIC-GROUP.COM
127.0.0.1 WWW.EMAIL-EXPLORER.COM
127.0.0.1 WWW.ENTRYPLUGIN.COM
127.0.0.1 WWW.EOPS.DE
127.0.0.1 WWW.EPASS-KEY.COM
127.0.0.1 WWW.EROSTARS.DE
127.0.0.1 WWW.E-SEXCASH.COM
127.0.0.1 WWW.EZDIALERONLINE.COM
127.0.0.1 WWW.FILMY.PORNO.PL
127.0.0.1 WWW.FILOST.COM
127.0.0.1 WWW.FREE6.SE
127.0.0.1 WWW.GAGNE-UN-MAX.COM
127.0.0.1 WWW.GAMES-FACTORY.COM
127.0.0.1 WWW.GLOBAL-ACCES.COM
127.0.0.1 WWW.GLOBAL-ACCESS.COM
127.0.0.1 WWW.GLOBAL-NETCOM.DE
127.0.0.1 WWW.GLOBALPHON.COM
127.0.0.1 WWW.GNURA.COM
127.0.0.1 WWW.GO4UP.COM
127.0.0.1 WWW.GOINDIRECT.COM
127.0.0.1 WWW.GOINDIRECT.NU
127.0.0.1 WWW.GREATPLUGIN.COM
127.0.0.1 WWW.GXPLUGIN.COM
127.0.0.1 WWW.HIGHDIALER.COM
127.0.0.1 WWW.HIP-POP-GIRLS.COM
127.0.0.1 WWW.HOLISTYC.COM
127.0.0.1 WWW.HOTACTIONDATING.COM
127.0.0.1 WWW.HUMORCASH.NL
127.0.0.1 WWW.ICS900.COM
127.0.0.1 WWW.INFODIALER.BIZ
127.0.0.1 WWW.INFODIALER3000.COM
127.0.0.1 WWW.INTERCHECK.CO.UK
127.0.0.1 WWW.IP-TOOL.COM
127.0.0.1 WWW.ISPDIALER.COM
127.0.0.1 WWW.LIBERECO.NET
127.0.0.1 WWW.LINKAUTOMATICI.COM
127.0.0.1 WWW.LIVECAMS.NL
127.0.0.1 WWW.LOGHISUONERIEWEB.COM
127.0.0.1 WWW.LOGOPLUGIN.COM
127.0.0.1 WWW.MAILSKINNER.COM
127.0.0.1 WWW.MAINPEAN.DE
127.0.0.1 WWW.MANGA-EROTICO.COM
127.0.0.1 WWW.MASTER69.BIZ
127.0.0.1 WWW.MASTER70.BIZ
127.0.0.1 WWW.MASTER71.BIZ
127.0.0.1 WWW.MASTERDIALER.DE
127.0.0.1 WWW.MEMBERSPLAYGROUND.COM
127.0.0.1 WWW.MEMBERSPLUGIN.COM
127.0.0.1 WWW.MILDESCARGAS.COM
127.0.0.1 WWW.MOVIE-BROWSER.COM
127.0.0.1 WWW.MOVIENETWORKS.COM
127.0.0.1 WWW.MY-TEENSEX.COM
127.0.0.1 WWW.NETCOM.NET.UK
127.0.0.1 WWW.NETPOND.COM
127.0.0.1 WWW.NETVENDA.COM
127.0.0.1 WWW.NOCREDITCARD.NET
127.0.0.1 WWW.NOCREDITCARDGAY.COM
127.0.0.1 WWW.ONE2ONE.COM
127.0.0.1 WWW.ONLYBIGMOVIES.COM
127.0.0.1 WWW.PARISVOYEUR.COM
127.0.0.1 WWW.PAZZACHAT.COM
127.0.0.1 WWW.PCBELLO.COM
127.0.0.1 WWW.PLUGINACCESS.COM
127.0.0.1 WWW.PLUGINS.COM
127.0.0.1 WWW.PML.MEDIACHARGER.COM
127.0.0.1 WWW.POWERDIALLER.COM
127.0.0.1 WWW.PRIVATEPORNCOLLECTION.COM
127.0.0.1 WWW.PUSSYHAREM.COM
127.0.0.1 WWW.QUICKPLUGIN.COM
127.0.0.1 WWW.RAPID-PASS.NET
127.0.0.1 WWW.REALAREA.BIZ
127.0.0.1 WWW.REDFUNNY.COM
127.0.0.1 WWW.RICERCHEFACILI.COM
127.0.0.1 WWW.SCMG.NET
127.0.0.1 WWW.SESSO-IT.COM
127.0.0.1 WWW.SEX-EXPLORER.COM
127.0.0.1 WWW.SEXFILES.NU
127.0.0.1 WWW.SEXOP.TV
127.0.0.1 WWW.SEXVIDEOPRO.COM
127.0.0.1 WWW.SEXYPLUGIN.COM
127.0.0.1 WWW.SFONDISSIMI.NET
127.0.0.1 WWW.SFONDITALIA.BIZ
127.0.0.1 WWW.SGRUNT.BIZ
127.0.0.1 WWW.SHAREDSOURCE.ORG
127.0.0.1 WWW.SIGNOREMATURE.COM
127.0.0.1 WWW.SKYMASTERS.BIZ
127.0.0.1 WWW.SLOTCH.COM
127.0.0.1 WWW.SMOOTHCONTENT.COM
127.0.0.1 WWW.SPACASH.COM
127.0.0.1 WWW.SPONSORADULTO.COM
127.0.0.1 WWW.SPYNET.COM
127.0.0.1 WWW.STARDIALER.DE
127.0.0.1 WWW.STATSBANK.COM
127.0.0.1 WWW.STRIP-PLAYER.COM
127.0.0.1 WWW.SURFYA.COM
127.0.0.1 WWW.SWIMSUITNETWORK.COM
127.0.0.1 WWW.THEBESTPLUGIN.COM
127.0.0.1 WWW.THE-BEST-PROMOS.COM
127.0.0.1 WWW.THEPAYMENTCENTRE.COM
127.0.0.1 WWW.TIBSYSTEMS.COM
127.0.0.1 WWW.TRAFFICADVANCE.NET
127.0.0.1 WWW.VANITOSA.COM
127.0.0.1 WWW.VERIGAY.COM
127.0.0.1 WWW.VIDEOCHAT46.COM
127.0.0.1 WWW.VIDEOCHATGIRLS.NET
127.0.0.1 WWW.VIZIT.US
127.0.0.1 WWW.WAZZUPNET.COM
127.0.0.1 WWW.WBDIALER.BIZ
127.0.0.1 WWW.WORLDXCHANGE.COM
127.0.0.1 WWW.WSWTELECOMS.COM
127.0.0.1 WWW.XBETA69.COM
127.0.0.1 WWW.YEAK.NET
127.0.0.1 WWW.ZIPZAPPROMOS.COM
127.0.0.1 WWW9.ADVNT01.COM
127.0.0.1 X0.NL
127.0.0.1 XBETA69.COM
127.0.0.1 XENIUM.TINTEL.NL
127.0.0.1 XXX.SEX-EXPLORER.COM
127.0.0.1 XXXTOOLBAR.COM
127.0.0.1 YEAK.NET
127.0.0.1 YSBWEB.COM

And # Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 01.SHAREDSOURCE.ORG
127.0.0.1 03.SHAREDSOURCE.ORG
127.0.0.1 05.SHAREDSOURCE.ORG
127.0.0.1 05P.COM
127.0.0.1 09.SHAREDSOURCE.ORG
127.0.0.1 093QPEUQPMZ6EBFA.COM
127.0.0.1 0TEXKAX7C6HZUIDK.COM
127.0.0.1 0XSEARCH.COM
127.0.0.1 17.SHAREDSOURCE.ORG
127.0.0.1 18.SHAREDSOURCE.ORG
127.0.0.1 19.SHAREDSOURCE.ORG
127.0.0.1 1ST-SEX.US
127.0.0.1 20.SHAREDSOURCE.ORG
127.0.0.1 2003.YAUU.NET
127.0.0.1 22.SHAREDSOURCE.ORG
127.0.0.1 24START.COM
127.0.0.1 2AWM.COM
127.0.0.1 4NETMEDIA.COM
127.0.0.1 4PHPSCRIPTS.COM
127.0.0.1 540.FILOST.COM
127.0.0.1 540.SCMG.NET
127.0.0.1 7ADPOWER.COM
127.0.0.1 80PICTURES.COM
127.0.0.1 A0E6.FFX23WL.NL
127.0.0.1 ACCESO.MASMINUTOS.COM
127.0.0.1 ACCESS.GAMESPLAYGROUND.COM
127.0.0.1 ACCESS.JUICYTEENPORN.COM
127.0.0.1 ACCESS.RAPID-PASS.NET
127.0.0.1 ACCESSPLUGIN.COM
127.0.0.1 ADDICTIVETECHNOLOGIES.COM
127.0.0.1 ADDICTIVETECHNOLOGIES.NET
127.0.0.1 ADMIN2CASH.BIZ
127.0.0.1 ADVCASH.BIZ
127.0.0.1 ADVNT.COM
127.0.0.1 ADVNT01.COM
127.0.0.1 ADVNT02.COM
127.0.0.1 ADVNT03.COM
127.0.0.1 ADVNT04.COM
127.0.0.1 ADVNT05.COM
127.0.0.1 AKAMAI.DOWNLOADV3.COM
127.0.0.1 ALL4INTERNET.COM
127.0.0.1 ALLCONTENTS.BIZ
127.0.0.1 API.AVENO.NET
127.0.0.1 ARCHIVIOHARD.COM
127.0.0.1 ARCHIVIOSEX.NET
127.0.0.1 AWMDABEST.COM
127.0.0.1 BANNERS.NOCREDITCARD.COM
127.0.0.1 BANNERS.NOCREDITCARDGAY.COM
127.0.0.1 BANNERS.SPONSORADULTO.COM
127.0.0.1 BANNERS.VIZIT.US
127.0.0.1 BETTERSEARCH.BIZ
127.0.0.1 BLAZEFIND.COM
127.0.0.1 C4TDOWNLOAD.COM
127.0.0.1 CAMZ.TINTEL.NL
127.0.0.1 CASH-EXPLORER.COM
127.0.0.1 CAUSAGAME.COM
127.0.0.1 C.MICROSOFT.COM
127.0.0.1 CC.SEX-EXPLORER.COM
127.0.0.1 CLICKSPRING.NET
127.0.0.1 CMI.IBILL.COM
127.0.0.1 COMMUNITY.DERBIZ.COM
127.0.0.1 COMMUNITY.GLOBALEACCESS.COM
127.0.0.1 COMMUNITY.SURFYA.COM
127.0.0.1 CONNECT.ANDLOTSMORE.COM
127.0.0.1 CONTENT.NETVENDA.COM
127.0.0.1 CONTENT2.NETVENDA.COM
127.0.0.1 CONTENT-LOADER.COM
127.0.0.1 CONTENTS.SEX-EXPLORER.COM
127.0.0.1 CRAZYWINNINGS.COM
127.0.0.1 CROSSKIRK.COM
127.0.0.1 CSEX.COM
127.0.0.1 D.CRACKEDEARTH.COM
127.0.0.1 DAPSOL.COM
127.0.0.1 DD.TIBSYSTEMS.COM
127.0.0.1 DEPOSITO.HOSTANCE.NET
127.0.0.1 DERBIZ.COM
127.0.0.1 DEVFAST.MEDIACHARGER.COM
127.0.0.1 DIALER.MEDIANED.NL
127.0.0.1 DIALERACCESS.COM
127.0.0.1 DIALERADMIN.COM
127.0.0.1 DIALERCLUB.COM
127.0.0.1 DIALER-SHOP.COM
127.0.0.1 DIALLERPLUGIN.COM
127.0.0.1 DIALOFF.COM
127.0.0.1 DIALXS.COM
127.0.0.1 DIALXS.NL
127.0.0.1 DOWNLOAD.MEDIACHARGER.COM
127.0.0.1 DOWNLOAD.SPYNET.COM
127.0.0.1 DOWNLOAD.TIBSYSTEMS.COM
127.0.0.1 EBONY.ANDLOTSMORE.COM
127.0.0.1 EBONYPLUGIN.COM
127.0.0.1 EM.AVENO.NET
127.0.0.1 ENTRYPLUGIN.COM
127.0.0.1 EPEN.EU.COM
127.0.0.1 F1ORGANIZER.COM
127.0.0.1 FAQ.MAINPEAN.DE
127.0.0.1 FAST.MEDIACHARGER.COM
127.0.0.1 FLAT.TRAFFICADVANCE.NET
127.0.0.1 FLINGSTONE.COM
127.0.0.1 FR4-NETWORK.NOCREDITCARD.COM
127.0.0.1 FR4-SCRIPTS.DOWNLOADV3.COM
127.0.0.1 FUN.ZIPZAPPROMOS.COM
127.0.0.1 GAMES.ANDLOTSMORE.COM
127.0.0.1 GAMING.GAMESPLAYGROUND.COM
127.0.0.1 GLOBAL-NETCOM.DE
127.0.0.1 GNURA.COM
127.0.0.1 GO.SECURECASTING.COM
127.0.0.1 GREAT.ANDLOTSMORE.COM
127.0.0.1 HELP.RAPID-PASS.NET
127.0.0.1 HELP.STARDIALER.DE
127.0.0.1 HIGHDIALER.COM
127.0.0.1 HOSTANCE.NET
127.0.0.1 HPINTERMEDIA.TINTEL.NL
127.0.0.1 HPWIS.COM
127.0.0.1 IFRAME.BIZ
127.0.0.1 IMAGES.TIBSYSTEMS.COM
127.0.0.1 INSTALL.GLOBAL-NETCOM.DE
127.0.0.1 INSTALL.STARDIALER.DE
127.0.0.1 INSTANT-ACCESS.NOCREDITCARD.COM
127.0.0.1 INSTANT-ACCESS.NOCREDITCARD.NET
127.0.0.1 INSTANT-ACCESS.NOCREDITCARDGAY.COM
127.0.0.1 INSTANT-ACCESS.SEX-EXPLORER.COM
127.0.0.1 IP.SPACASH.COM
127.0.0.1 IP.SPONSORADULTO.COM
127.0.0.1 IP.SPONSORIX.COM
127.0.0.1 ISPDIALER.COM
127.0.0.1 JOIN.POPCORN.NET
127.0.0.1 LEGAL.ELECTRONIC-GROUP.COM
127.0.0.1 LIBERECO.NET
127.0.0.1 LINKAUTOMATICI.COM
127.0.0.1 LIVE.SEX-EXPLORER.COM
127.0.0.1 LIVES.SEX-EXPLORER.COM
127.0.0.1 LOGOPLUGIN.COM
127.0.0.1 MASTER69.BIZ
127.0.0.1 MASTER70.BIZ
127.0.0.1 MASTER71.BIZ
127.0.0.1 MASTERDIALER.DE
127.0.0.1 MCDIAL.BIZ
127.0.0.1 MEDIA.RAPID-PASS.NET
127.0.0.1 MEDIACHARGER.COM
127.0.0.1 MEDIA-MOTOR.NET
127.0.0.1 MEGAPORNIX.COM
127.0.0.1 MEMBERS.JUICYTEENPORN.COM
127.0.0.1 MEMBERS.PRIVATEPORNCOLLECTION.COM
127.0.0.1 MEMBERS.SWIMSUITNETWORK.COM
127.0.0.1 MEMBERSPLAYGROUND.COM
127.0.0.1 MEMBERSPLUGIN.COM
127.0.0.1 MIRRORS.EGWN.NET
127.0.0.1 MOVIE-BROWSER.COM
127.0.0.1 MOVIEPLUGIN.COM
127.0.0.1 MP3.POPCORN.NET
127.0.0.1 MT-DOWNLOAD.COM
127.0.0.1 MUSICMATCH.COM
127.0.0.1 MY-INTERNET.INFO
127.0.0.1 MY-TEENSEX.COM
127.0.0.1 NCC.SEX-EXPLORER.COM
127.0.0.1 NET-NUCLEUS.COM
127.0.0.1 NETPOND.COM
127.0.0.1 NETVENDA.COM
127.0.0.1 NETWORK.NOCREDITCARD.COM
127.0.0.1 NETWORK.NOCREDITCARD.NET
127.0.0.1 NETWORK.NOCREDITCARDGAY.COM
127.0.0.1 NETWORK.STRIPPLAYER.COM
127.0.0.1 NETWORK.STRIP-PLAYER.COM
127.0.0.1 NETWORK.VIZIT.US
127.0.0.1 NEW.NET
127.0.0.1 NEWIFRAME.BIZ
127.0.0.1 NL.BROWSERUPDATE.CO.UK
127.0.0.1 NOCREDITCARD.COM
127.0.0.1 NOCREDITCARD.NET
127.0.0.1 NY.CONTENTMATCH.NET
127.0.0.1 OCX2.ADVNT01.COM
127.0.0.1 OCX3.ADVNT01.COM
127.0.0.1 OVERPRO.COM
127.0.0.1 P1.TIBSYSTEMS.COM
127.0.0.1 PENSIEROVIRTUALE.COM
127.0.0.1 PICS.AVENO.NET
127.0.0.1 PINKBOX.PL
127.0.0.1 PIZDATO.BIZ
127.0.0.1 PLUG.ADVCASH.BIZ
127.0.0.1 PLUGIN.EURO-INFOMEDIA.COM
127.0.0.1 PLUGINACCESS.COM
127.0.0.1 POPCORN.NET
127.0.0.1 POPUPPERS.COM
127.0.0.1 PREVIEW.DIALER411.COM
127.0.0.1 PRIVATE-DIALER.BIZ
127.0.0.1 PRIVATE-IFRAME.BIZ
127.0.0.1 PRIVATEPORNCOLLECTION.COM
127.0.0.1 PRIVATE-VIEWING.COM
127.0.0.1 PROMO.EPASS-KEY.COM
127.0.0.1 PROMO.ZIPZAPPROMOS.COM
127.0.0.1 QUICKPLUGIN.COM
127.0.0.1 REALAREA.BIZ
127.0.0.1 REAL-EUROS.COM
127.0.0.1 REDFUNNY.COM
127.0.0.1 REDIRECT.EPASS-KEY.COM
127.0.0.1 RESELLERS.TIBSYSTEMS.COM
127.0.0.1 REVENUE.NET
127.0.0.1 SA.SECURE-FIREWALL.COM
127.0.0.1 SCOOBIDOO.COM
127.0.0.1 SCRIPTS.DOWNLOADV3.COM
127.0.0.1 SEARCHBARCASH.COM
127.0.0.1 SEARCHMIRACLE.COM
127.0.0.1 SECURE.GOODTHINXX.COM
127.0.0.1 SECURE.IBILL.COM
127.0.0.1 SERVER02.US2.EGWN.NET
127.0.0.1 SERVICE.SPYNET.COM
127.0.0.1 SEXYPLUGIN.COM
127.0.0.1 SFONDISSIMI.NET
127.0.0.1 SFONDITALIA.BIZ
127.0.0.1 SG1.TIBSYSTEMS.COM
127.0.0.1 SGRUNT.BIZ
127.0.0.1 SKOOBIDOO.COM
127.0.0.1 SKYMASTERS.BIZ
127.0.0.1 SLAWSEARCH.COM
127.0.0.1 SLOTCH.COM
127.0.0.1 SOFTWARE.GLOBAL-NETCOM.DE
127.0.0.1 SP2[CENSORED]ED.BIZ
127.0.0.1 SP2ADMIN.BIZ
127.0.0.1 SP2F**KED.BIZ
127.0.0.1 SPONSORADULTO.COM
127.0.0.1 SQL.YAUU.NET
127.0.0.1 STARDIALER.DE
127.0.0.1 STAT.TRAFFICADVANCE.NET
127.0.0.1 STATIC.CONTENTS.SEX-EXPLORER.COM
127.0.0.1 STATIC.SEX-EXPLORER.COM
127.0.0.1 STATS.TIBSYSTEMS.COM
127.0.0.1 STREAM.PUSSYHAREM.COM
127.0.0.1 STRIPPLAYER.COM
127.0.0.1 SUPPORT.ELECTRONIC-GROUP.COM
127.0.0.1 SURFYA.COM
127.0.0.1 TEMPURI.ORG
127.0.0.1 TIBSYSTEMS.COM
127.0.0.1 TOPCONVERTING.COM
127.0.0.1 TRADE.GLOBALEACCESS.COM
127.0.0.1 TRAFFIC2CASH.BIZ
127.0.0.1 U14.ESET.COM
127.0.0.1 UPDATE.DOWNLOADV3.COM
127.0.0.1 UPDATE.MICROSOFT.COM
127.0.0.1 USA-NETWORK.NOCREDITCARD.COM
127.0.0.1 USA-NETWORK.NOCREDITCARDGAY.COM
127.0.0.1 USA-NETWORK.VIDEO-PARTY.COM
127.0.0.1 USA-SCRIPTS.DOWNLOADV3.COM
127.0.0.1 US-SG1.TIBSYSTEMS.COM
127.0.0.1 VIDEOCHAT46.COM
127.0.0.1 VIDEOCHATGIRLS.NET
127.0.0.1 VOICECALL.MAINPEAN.DE
127.0.0.1 VSE-MOE.BIZ
127.0.0.1 WEBCAM.ANDLOTSMORE.COM
127.0.0.1 WEBMASTER.NOCREDITCARD.COM
127.0.0.1 WEBMASTER.STRIPPLAYER.COM
127.0.0.1 WINDUPDATES.COM
127.0.0.1 WWW.02KMKY1XGZBMSDFX.COM
127.0.0.1 WWW.0TEXKAX7C6HZUIDK.COM
127.0.0.1 WWW.0XSEARCH.COM
127.0.0.1 WWW.123TICKET.COM
127.0.0.1 WWW.180SEARCHASSISTANT.COM
127.0.0.1 WWW.1ADEXCHANGE.COM
127.0.0.1 WWW.24START.COM
127.0.0.1 WWW.2AWM.COM
127.0.0.1 WWW.4NETMEDIA.COM
127.0.0.1 WWW.68737075.COM
127.0.0.1 WWW.7ADPOWER.COM
127.0.0.1 WWW.7DAYS.WS
127.0.0.1 WWW.A99B.COM
127.0.0.1 WWW.ACCERISPARTNERS.COM
127.0.0.1 WWW.ACCESOPLUGIN.COM
127.0.0.1 WWW.ACCESSOVELOCE.COM
127.0.0.1 WWW.ACCESSPLUGIN.COM
127.0.0.1 WWW.ACONTI.NET
127.0.0.1 WWW.ADULTOWEB.COM
127.0.0.1 WWW.ADVNT.COM
127.0.0.1 WWW.ADVNT01.COM
127.0.0.1 WWW.ADVNT02.COM
127.0.0.1 WWW.ANDLOTSMORE.COM
127.0.0.1 WWW.ARCHIVIO-FILM.COM
127.0.0.1 WWW.ARCHIVIOHARD.COM
127.0.0.1 WWW.ARCHIVIOSEX.COM
127.0.0.1 WWW.ARCHIVIOSEX.NET
127.0.0.1 WWW.AREASEX.BIZ
127.0.0.1 WWW.BELLEINCAM.NET
127.0.0.1 WWW.BLOISCOM.NET
127.0.0.1 WWW.BOCATA.NET
127.0.0.1 WWW.BROWSERUPDATE.CO.UK
127.0.0.1 WWW.CASH-EXPLORER.COM
127.0.0.1 WWW.CBIT-SOLUTIONS.COM
127.0.0.1 WWW.CHARGEMELATER.COM
127.0.0.1 WWW.CIUCCIA-CAZZI.BIZ
127.0.0.1 WWW.COLDTHUMBS.COM
127.0.0.1 WWW.CONTENIDOSPC.COM
127.0.0.1 WWW.CONTENT-LOADER.COM
127.0.0.1 WWW.COULOMB.CO.UK
127.0.0.1 WWW.CRACKEDEARTH.COM
127.0.0.1 WWW.CRONTEL.COM
127.0.0.1 WWW.CSEX.COM
127.0.0.1 WWW.CYBERZINE.COM
127.0.0.1 WWW.CZECH-TEENS.COM
127.0.0.1 WWW.DATE.SE
127.0.0.1 WWW.DESKTOPLIFE.NET
127.0.0.1 WWW.DIALERADMIN.COM
127.0.0.1 WWW.DIALERDREAMS.COM
127.0.0.1 WWW.DIALERFACTORY.COM
127.0.0.1 WWW.DIALERPLATFORM.COM
127.0.0.1 WWW.DIALERS2K.COM
127.0.0.1 WWW.DIALER-SHOP.COM
127.0.0.1 WWW.DIALERZONA.COM
127.0.0.1 WWW.DIALLERPLUGIN.COM
127.0.0.1 WWW.DIKAI.COM
127.0.0.1 WWW.DINEROTICA.COM
127.0.0.1 WWW.EBONYPLUGIN.COM
127.0.0.1 WWW.E-GROUP.ORG
127.0.0.1 WWW.EINGANG69.DE
127.0.0.1 WWW.ELECTRONIC-GROUP.COM
127.0.0.1 WWW.EMAIL-EXPLORER.COM
127.0.0.1 WWW.ENTRYPLUGIN.COM
127.0.0.1 WWW.EOPS.DE
127.0.0.1 WWW.EPASS-KEY.COM
127.0.0.1 WWW.EROSTARS.DE
127.0.0.1 WWW.E-SEXCASH.COM
127.0.0.1 WWW.EZDIALERONLINE.COM
127.0.0.1 WWW.FILMY.PORNO.PL
127.0.0.1 WWW.FILOST.COM
127.0.0.1 WWW.FREE6.SE
127.0.0.1 WWW.GAGNE-UN-MAX.COM
127.0.0.1 WWW.GAMES-FACTORY.COM
127.0.0.1 WWW.GLOBAL-ACCES.COM
127.0.0.1 WWW.GLOBAL-ACCESS.COM
127.0.0.1 WWW.GLOBAL-NETCOM.DE
127.0.0.1 WWW.GLOBALPHON.COM
127.0.0.1 WWW.GNURA.COM
127.0.0.1 WWW.GO4UP.COM
127.0.0.1 WWW.GOINDIRECT.COM
127.0.0.1 WWW.GOINDIRECT.NU
127.0.0.1 WWW.GREATPLUGIN.COM
127.0.0.1 WWW.GXPLUGIN.COM
127.0.0.1 WWW.HIGHDIALER.COM
127.0.0.1 WWW.HIP-POP-GIRLS.COM
127.0.0.1 WWW.HOLISTYC.COM
127.0.0.1 WWW.HOTACTIONDATING.COM
127.0.0.1 WWW.HUMORCASH.NL
127.0.0.1 WWW.ICS900.COM
127.0.0.1 WWW.INFODIALER.BIZ
127.0.0.1 WWW.INFODIALER3000.COM
127.0.0.1 WWW.INTERCHECK.CO.UK
127.0.0.1 WWW.IP-TOOL.COM
127.0.0.1 WWW.ISPDIALER.COM
127.0.0.1 WWW.LIBERECO.NET
127.0.0.1 WWW.LINKAUTOMATICI.COM
127.0.0.1 WWW.LIVECAMS.NL
127.0.0.1 WWW.LOGHISUONERIEWEB.COM
127.0.0.1 WWW.LOGOPLUGIN.COM
127.0.0.1 WWW.MAILSKINNER.COM
127.0.0.1 WWW.MAINPEAN.DE
127.0.0.1 WWW.MANGA-EROTICO.COM
127.0.0.1 WWW.MASTER69.BIZ
127.0.0.1 WWW.MASTER70.BIZ
127.0.0.1 WWW.MASTER71.BIZ
127.0.0.1 WWW.MASTERDIALER.DE
127.0.0.1 WWW.MEMBERSPLAYGROUND.COM
127.0.0.1 WWW.MEMBERSPLUGIN.COM
127.0.0.1 WWW.MILDESCARGAS.COM
127.0.0.1 WWW.MOVIE-BROWSER.COM
127.0.0.1 WWW.MOVIENETWORKS.COM
127.0.0.1 WWW.MY-TEENSEX.COM
127.0.0.1 WWW.NETCOM.NET.UK
127.0.0.1 WWW.NETPOND.COM
127.0.0.1 WWW.NETVENDA.COM
127.0.0.1 WWW.NOCREDITCARD.NET
127.0.0.1 WWW.NOCREDITCARDGAY.COM
127.0.0.1 WWW.ONE2ONE.COM
127.0.0.1 WWW.ONLYBIGMOVIES.COM
127.0.0.1 WWW.PARISVOYEUR.COM
127.0.0.1 WWW.PAZZACHAT.COM
127.0.0.1 WWW.PCBELLO.COM
127.0.0.1 WWW.PLUGINACCESS.COM
127.0.0.1 WWW.PLUGINS.COM
127.0.0.1 WWW.PML.MEDIACHARGER.COM
127.0.0.1 WWW.POWERDIALLER.COM
127.0.0.1 WWW.PRIVATEPORNCOLLECTION.COM
127.0.0.1 WWW.PUSSYHAREM.COM
127.0.0.1 WWW.QUICKPLUGIN.COM
127.0.0.1 WWW.RAPID-PASS.NET
127.0.0.1 WWW.REALAREA.BIZ
127.0.0.1 WWW.REDFUNNY.COM
127.0.0.1 WWW.RICERCHEFACILI.COM
127.0.0.1 WWW.SCMG.NET
127.0.0.1 WWW.SESSO-IT.COM
127.0.0.1 WWW.SEX-EXPLORER.COM
127.0.0.1 WWW.SEXFILES.NU
127.0.0.1 WWW.SEXOP.TV
127.0.0.1 WWW.SEXVIDEOPRO.COM
127.0.0.1 WWW.SEXYPLUGIN.COM
127.0.0.1 WWW.SFONDISSIMI.NET
127.0.0.1 WWW.SFONDITALIA.BIZ
127.0.0.1 WWW.SGRUNT.BIZ
127.0.0.1 WWW.SHAREDSOURCE.ORG
127.0.0.1 WWW.SIGNOREMATURE.COM
127.0.0.1 WWW.SKYMASTERS.BIZ
127.0.0.1 WWW.SLOTCH.COM
127.0.0.1 WWW.SMOOTHCONTENT.COM
127.0.0.1 WWW.SPACASH.COM
127.0.0.1 WWW.SPONSORADULTO.COM
127.0.0.1 WWW.SPYNET.COM
127.0.0.1 WWW.STARDIALER.DE
127.0.0.1 WWW.STATSBANK.COM
127.0.0.1 WWW.STRIP-PLAYER.COM
127.0.0.1 WWW.SURFYA.COM
127.0.0.1 WWW.SWIMSUITNETWORK.COM
127.0.0.1 WWW.THEBESTPLUGIN.COM
127.0.0.1 WWW.THE-BEST-PROMOS.COM
127.0.0.1 WWW.THEPAYMENTCENTRE.COM
127.0.0.1 WWW.TIBSYSTEMS.COM
127.0.0.1 WWW.TRAFFICADVANCE.NET
127.0.0.1 WWW.VANITOSA.COM
127.0.0.1 WWW.VERIGAY.COM
127.0.0.1 WWW.VIDEOCHAT46.COM
127.0.0.1 WWW.VIDEOCHATGIRLS.NET
127.0.0.1 WWW.VIZIT.US
127.0.0.1 WWW.WAZZUPNET.COM
127.0.0.1 WWW.WBDIALER.BIZ
127.0.0.1 WWW.WORLDXCHANGE.COM
127.0.0.1 WWW.WSWTELECOMS.COM
127.0.0.1 WWW.XBETA69.COM
127.0.0.1 WWW.YEAK.NET
127.0.0.1 WWW.ZIPZAPPROMOS.COM
127.0.0.1 WWW9.ADVNT01.COM
127.0.0.1 X0.NL
127.0.0.1 XBETA69.COM
127.0.0.1 XENIUM.TINTEL.NL
127.0.0.1 XXX.SEX-EXPLORER.COM
127.0.0.1 XXXTOOLBAR.COM
127.0.0.1 YEAK.NET
127.0.0.1 YSBWEB.COM

And export text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis]
"WinHeight"="8000"
"WinWidth"="9780"
"IgnoreNum"="13"
"AutoSelect"="0"
"Confirm"="1"
"MakeBackup"="1"
"IgnoreSafe"="1"
"LogProcesses"="1"
"ShowIntroFrame"="1"
"DefStartPage"="about:blank"
"DefSearchPage"="http://www.microsoft...ie&ar=iesearch"
"DefSearchAss"="http://ie.search.msn...t/srchasst.htm"
"DefSearchCust"="http://ie.search.msn...t/srchcust.htm"
"Ignore1"="O4 - HKLM\\..\\Run: [DSB] C:\\Program Files\\DSB\\DSB.exe"
"Ignore2"="O4 - HKLM\\..\\Run: [EnergyPlugIn] C:\\Program Files\\EnergyPlugIn\\EnergyPlugIn.exe"
"Ignore3"="O4 - HKLM\\..\\Run: [EnergyPlugIn] C:\\Programmi\\EnergyPlugIn\\EnergyPlugIn.exe"
"Ignore4"="O4 - HKLM\\..\\Run: [E-nrgyPlus] C:\\Program Files\\E-nrgyPlus\\E-nrgyPlus.exe"
"Ignore5"="O4 - HKLM\\..\\Run: [E-nrgyPlus] C:\\Programmi\\E-nrgyPlus\\E-nrgyPlus.exe"
"Ignore6"="O4 - HKLM\\..\\Run: [SHA256] C:\\Program Files\\SHA256\\secure.exe"
"Ignore7"="O4 - HKLM\\..\\Run: [SHA256] C:\\Programmi\\SHA256\\secure.exe"
"Ignore8"="O4 - HKLM\\..\\Run: [WIZZ] C:\\Program Files\\WIZZ\\dazzler.exe"
"Ignore9"="O4 - HKLM\\..\\Run: [WIZZ] C:\\Programmi\\WIZZ\\dazzler.exe"
"Ignore10"="O15 - Trusted Zone: *.energy-factor.com"
"Ignore11"="O15 - Trusted Zone: *.hardcorefantasyland.com"
"Ignore12"="O15 - Trusted Zone: *.hardfootballbabes.com"
"Ignore13"="O1 - Hosts: 200.73.174.154 deposito.hostance.net"

Oh...I have a question for you...why almost every single folder in my computer has a file in it called "Desktop.ini" that there wasn't before all this mess? (It's a month that my PC run slow...always after my brother use it!!!)
Thanks for now...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users