Post by: joy on January 26, 2006, 04:18:51 AM
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> I find out on my Desktop and on my Documents a link to explorer that takes me to a porn page,or other pages that I don't know (advertisment, dialer...), so I did the Hijack, I cancelled them, but every time I close the computer and then I open it...all these pages appears again every where. They also took the place of my personal MSN main page!
Please help me...Thanks
now I send you my Hijack logfile....
Logfile of HijackThis v1.99.1
Scan saved at 10.15.04, on 26/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\winoxhp.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\dosw.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.skymasters.biz?4878
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: TChkBHO Class - {93ADDE69-80FD-4EF8-83EC-EB354830CEF7} - C:\WINDOWS\system32\qotiu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [WinDSNX] C:\WINDOWS\System32\winoxhp.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows DOS] C:\WINDOWS\System32\dosw.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: KVG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email (http://\"http://by15fd.bay15.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130251960698 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130251960698\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
Post by: guestolo on January 27, 2006, 12:43:34 AM
=Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
==Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe (http://\"http://www.downloads.subratam.org/KillBox.exe\")
http://www.atribune.org/downloads/KillBox.exe (http://\"http://www.atribune.org/downloads/KillBox.exe\")
and save it too your desktop or folder
If you don't have Ad-Aware SE personal 1.06
==Download and Install Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Please save these below instructions to a Notepad file and save it to your Desktop for reference
This is important, some instructions must have you copy and paste entries from a text file
Go to start>>run>>type in notepad
Hit OK to open a blank notepad file
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
Open Killbox.exe
Leave "Standard Kill file" selected
In the "Full path of File to Delete" copy and paste the full entry below in bold
C:\WINDOWS\System32\winoxhp.exe
Then click the Red Circle with the White X
Allow to make a backup and delete the file
Don't worry about no file found messages
Carry on with the same instructions in killbox with the rest of these
C:\WINDOWS\System32\dosw.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KVG.exe
C:\WINDOWS\system32\qotiu.dll
additionally, for the last entry, can you also select "Unregister .dll before deleting" please
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Do a "System scan only" with Hijackthis and put a check next to these entries: (if found)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.skymasters.biz?4878
O2 - BHO: TChkBHO Class - {93ADDE69-80FD-4EF8-83EC-EB354830CEF7} - C:\WINDOWS\system32\qotiu.dll
O4 - HKLM\..\Run: [WinDSNX] C:\WINDOWS\System32\winoxhp.exe
O4 - HKLM\..\Run: [Windows DOS] C:\WINDOWS\System32\dosw.exe
O4 - Global Startup: KVG.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to Normal mode
Back in Windows
Can I see the following
1. Run Hijackthis again and post a fresh log
2. Post the report you saved earlier with Ewidos
Post by: joy on January 27, 2006, 05:47:25 AM
Logfile of HijackThis v1.99.1
Scan saved at 11.45.58, on 27/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/ (http://\"http://www.msn.it/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email (http://\"http://by15fd.bay15.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130251960698 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130251960698\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
ewido anti-malware - Rapporto Scansione
---------------------------------------------------------
+ Creato il: 11.22.05, 27/01/2006
+ Report-Checksum: ECE4637C
+ Risultati scansione:
HKLM\SOFTWARE\Classes\CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC} -> Spyware.MyWay : Pulito con Backup
HKLM\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Pulito con Backup
HKLM\SOFTWARE\Classes\Interface\{491BE5B7-A7F8-40EC-AAD4-CBA11FDFD814} -> Dialer.Generic : Pulito con Backup
HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522} -> Spyware.WurldMedia : Pulito con Backup
HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF} -> Spyware.WurldMedia : Pulito con Backup
HKLM\SOFTWARE\Classes\TypeLib\{29358AA6-679D-44EA-8A51-59A3C6E6F811} -> Dialer.Generic : Pulito con Backup
HKLM\SOFTWARE\Classes\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095} -> Spyware.BetterInternet : Pulito con Backup
HKLM\SOFTWARE\FENX -> Dialer.Generic : Pulito con Backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Pulito con Backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Pulito con Backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Pulito con Backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Pulito con Backup
HKU\S-1-5-21-861567501-920026266-854245398-1003\Software\Need2Find -> Spyware.Need2Find : Pulito con Backup
HKU\S-1-5-21-861567501-920026266-854245398-1003\Software\Need2Find\bar -> Spyware.Need2Find : Pulito con Backup
C:\!KillBox\dosw.exe -> Worm.Delf.w : Pulito con Backup
C:\!KillBox\qotiu.dll -> Spyware.WurldMedia : Pulito con Backup
C:\Appoggio\a.exe -> Backdoor.SdBot.xm : Pulito con Backup
C:\Appoggio\arun.exe -> Trojan.Zapchast : Pulito con Backup
C:\Appoggio\atapidrv.exe -> Backdoor.Agobot : Pulito con Backup
C:\Appoggio\gandj.exe -> Backdoor.Agobot.nq : Pulito con Backup
C:\Appoggio\he3.exe -> Backdoor.SdBot.xm : Pulito con Backup
C:\Appoggio\hmlsvc32.exe -> Backdoor.Agobot.adg : Pulito con Backup
C:\Appoggio\install.exe -> Backdoor.IRCBot.lp : Pulito con Backup
C:\Appoggio\ip.exe -> Backdoor.SdBot.xm : Pulito con Backup
C:\Appoggio\mssfox32.exe -> Backdoor.Agobot.nq : Pulito con Backup
C:\Appoggio\mssqlXP16.exe -> Backdoor.Agobot.nq : Pulito con Backup
C:\Appoggio\Setup.exe -> Worm.Delf.w : Pulito con Backup
C:\Appoggio\stone.exe -> Backdoor.SdBot.xm : Pulito con Backup
C:\Appoggio\Sys33.exe -> Backdoor.SdBot.xm : Pulito con Backup
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\KVG.exe -> Dialer.Generic : Pulito con Backup
C:\Programmi\Need2Find -> Spyware.Need2Find : Pulito con Backup
C:\Programmi\Need2Find\bar -> Spyware.Need2Find : Pulito con Backup
C:\Programmi\Need2Find\bar\History -> Spyware.Need2Find : Pulito con Backup
C:\Programmi\Need2Find\bar\History\search -> Spyware.Need2Find : Pulito con Backup
C:\Programmi\Need2Find\bar\Settings -> Spyware.Need2Find : Pulito con Backup
C:\WINDOWS\sasent.dll -> Dialer.Generic : Pulito con Backup
C:\WINDOWS\system32\zero.exe -> Backdoor.SdBot.xm : Pulito con Backup
::Fine Rapporto
Post by: guestolo on January 28, 2006, 01:08:37 AM
how everything is going
So How is everything going?
Post by: joy on January 29, 2006, 11:30:57 AM
Sorry me too for the delay, but usually i'm not connected when you answer!
Sorry...and sorry for my english(i'm italian)
Post by: guestolo on January 29, 2006, 01:14:17 PM
Can you let me know what this means please, sorry, my Italian is not that good
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> C:\Appoggio
Post by: joy on January 30, 2006, 11:11:32 AM
Post by: guestolo on January 30, 2006, 08:55:39 PM
A few bad files like to mess with the Hosts file
==Download Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\") and save it to your Desktop.
UNZIP the contents to your desktop or folder
Locate the Hoster folder , open it and double click on Hoster.exe
Click on Restore Original Hosts
In the confirmation window, click on OK.
Although you have F-Prot installed, can we get a second opinion please
Use Internet Explorer and Run the online Panda ActiveScan (http://\"http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan.htm&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest\")
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.
When the scan is complete
click See Report, then click Save Report and save it to your Desktop.
Can you post this whole report please
Post by: joy on January 31, 2006, 07:02:33 AM
Incident Status Location
Dialer:dialer.cos Not disinfected C:\Documents and Settings\Giorgia\Menu Avvio\exsplorer.lnk
Virus:Eicar.Mod Not disinfected C:\Programmi\FSI\F-Prot\fpav-help.chm[prob-scan-ok.html]
Possible Virus. Not disinfected C:\Programmi\FSI\F-Prot\fpcmd.exe
Virus:Eicar.Mod Not disinfected C:\Programmi\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[prob-scan-ok.html]
Possible Virus. Not disinfected C:\Programmi\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[fpcmd.exe]
Dialer:Dialer.ANF Not disinfected C:\Programmi\Telecom Italia\ADSLWizzy\Driver\ArescomND220\data1.cab[adiras.exe]
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\farmmext.inf
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\mstasks1.exe
Adware:adware/transponder Not disinfected C:\WINDOWS\Pynix.dll
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Dialer:dialer.bb Not disinfected C:\WINDOWS\system32\dktibs.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.msn
Adware:Adware/ShoppingCommunity Not disinfected C:\WINDOWS\system32\moconfig.exe
Adware:Adware/WurldMedia Not disinfected C:\WINDOWS\system32\s4Setp.exe
sorry....there's another little problem...I lost my PowerPoint Viewer...I can't find it, I can't read pps files...I don't know why, but this programm is desappeared from my Microsoft Office packaging....
Thank you!
Post by: guestolo on January 31, 2006, 06:10:10 PM
Find these files and send them all to the recycle bin
Exact spelling of the files are important
C:\Documents and Settings\Giorgia\Menu Avvio\exsplorer.lnk <-this file
C:\WINDOWS\inf\farmmext.inf <-this file
C:\WINDOWS\mstasks1.exe <-this file
C:\WINDOWS\Pynix.dll <-file
C:\WINDOWS\smdat32a.sys <-file
C:\WINDOWS\system32\dktibs.exe <-file
C:\WINDOWS\system32\moconfig.exe <-file
C:\WINDOWS\system32\s4Setp.exe <-file
Let me know if you were able to remove all those files please
PowerPoint:
Is it just the shortcut missing?
If it is, if you have Office installed to the default location
Navigate to this folder or similiar
C:\Programmi\Microsoft Office\Office10
Open the folder and look for the PowerPnt executable
Right click on it and Send a shortcut to the desktop
OR, maybe the association got messed up
Navigate to a PP file
Right click on the file and select OPEN WITH
Choose PowerPnt from the selections
I'm not sure if PowerPoint got corrupt from the malware you had on your computer or not?
Do you have your Office CD, can you put it in the computer and do a Repair on the installation?
Or you can use the Add/Remove component to reinstall PowerPoint
Post by: joy on February 01, 2006, 04:19:27 AM
I think I have corrupted all the Office programm and the CD for the installation wasn't mine...Well,no problem...I will buy it! This is a secondary problem!
Everything is working well on my pc!
Thank you!
Post by: guestolo on February 01, 2006, 11:32:10 PM
*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle
- Go to START>>RUN>>In the open field
Type in
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point
[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")[/url]
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"
*Keep up to date on Windows updates
You are way behind on your security updates
This is the most important part to keeping your system secure
I would take this oppurtunity and update to Service pack 2
We've partly prepared your computer for this installation
Please take a look at this link
http://www.microsoft.com/windowsxp/sp2/default.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/default.mspx\")
On that page take note of the following link
What to know before you download and install
Before updating to SP2 I also recommend you run CleanUp! beforehand and additionally do a Disk Defragment
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
*A Firewall is very important in the protection of your computer
Windows Service pack 2 contains an adequate firewall protection
If you would like to consider a firewall with more controlled protection
Install one of the following
Sunbelt Kerio Personal Firewall (http://\"http://www.sunbelt-software.com/Kerio.cfm\")
Zone Alarm by Zonelabs (http://\"http://www.zonelabs.com/store/content/home.jsp\")
OutPost by Agnitum (http://\"http://www.agnitum.com/products/\")
Sygate Personal Firewall (http://\"http://www.snapfiles.com/get/sygatefw.html\")
It's important to only use one Software firewall protection, this includes the one supplied with XP
More than one can cause a conflict
*Check for updates with your anti-spyware programs and run a scan on a regular basis
A great addition to Ad-Aware
is Spybot 1.4, I recommend installing it if you don't have it
You can download it from HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check all boxes and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer if any Red entries were fixed
Please Immunize after every update
You may also choose to hold onto Ewido and CleanUp!
Ewido will become a Limited version in a couple weeks
It's still a very good scanner to update and run once a month
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />NOTE: About PowerPoint and other office programs
I assume you never had a legit version installed, not sure why it's not working now
If you would like a free Office program that is compatible with all of Microsoft office
excluding Frontpage
This includes Powerpoint, Word, etc...
Take a look at Open office
http://www.openoffice.org/index.html (http://\"http://www.openoffice.org/index.html\")
Post by: joy on February 02, 2006, 03:42:42 AM
Everything is working very well!
Thank you!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on February 02, 2006, 03:10:30 PM
I'll lock this topic as your problems are resolved
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />