TheTechGuide Forum

General Category => Tech Clinic => Topic started by: joy on December 25, 2007, 10:45:44 AM

Title: Computer running very slow
Post by: joy on December 25, 2007, 10:45:44 AM

I know it's Christmas,but my computer doesn't respect the holy feasts!
First of all,I wish you Marry Xmas and Happy New Year...and everything...
Secondly,I post you a fresh HiJack logfile,because:

1.computer running slow in opening windows,folders,files,running programms...and in all its functions.
2.explore doesn't work well (slow and falling connections).
3.even if I have blocked all the pop-ups,sometimes a second big explore window opens while I'm running other internet pages...In the majority of cases it opens an advertisment (or something like this) window,or sites pages I've never visited.

Oh,don't mind if you see some strange programms,like Wedding Dash or Plant tycoon,they're both games installed.And,what's more,I've recently re-installed Avast for other 14months,because it has ran out.

...I think I have a Trojan Horse running,as said in an Avast alarm box...I've cancelled it,but it's still there.

Here it is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 16.43.19, on 25/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\iwxrnwbh.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [3c7a11bc] rundll32.exe "C:\WINDOWS\system32\bhefqofh.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/wedding...sh.1.0.0.44.cab (http://\"http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService -   - C:\WINDOWS\system32\iwxrnwbh.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

Thank you in advance!
Joy

Title: Computer running very slow
Post by: guestolo on December 25, 2007, 01:30:02 PM

Hi Joy, and Merry Xmas

Can you do the following please
Update your version of Hijackthis

Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color] (http://\"http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe\")
For an alternate download location, you can try HERE  (http://\"http://fileforum.betanews.com/detail/HijackThis/1071179190/1\")
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [3c7a11bc] rundll32.exe "C:\WINDOWS\system32\bhefqofh.dll",b

O23 - Service: DomainService - - C:\WINDOWS\system32\iwxrnwbh.exe



After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Don't reboot the computer yet
Instead
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe\") and save it ONLY to your desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
It's default location is C:\Combofix.txt

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Afterwards, do the following

1. Post the log from Combofix

2. Run a fresh Scan>>Save logfile with Hijackthis
Post the whole contents of the log that opens

Title: Computer running very slow
Post by: joy on December 26, 2007, 11:23:11 AM

Combofix Log:

ComboFix 07-12-26.4 - Giorgia 2007-12-26 16.59.48.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1040.18.69 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Giorgia\Desktop\ComboFix.exe
 * Creato nuovo punto di ripristino
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\hosts
C:\WINDOWS\system32\auhxxwsf.dll
C:\WINDOWS\system32\batloucd.dll
C:\WINDOWS\system32\bhefqofh.dll
C:\WINDOWS\system32\bswfhdmx.exe
C:\WINDOWS\system32\byxvtus.dll
C:\WINDOWS\system32\cbxvsrp.dll
C:\WINDOWS\system32\cbxvwwu.dll
C:\WINDOWS\system32\ccsamexd.ini
C:\WINDOWS\system32\evwkddyf.dll
C:\WINDOWS\system32\fcfdwwgr.ini
C:\WINDOWS\system32\fswxxhua.ini
C:\WINDOWS\system32\gbalmoxw.ini
C:\WINDOWS\system32\hfoqfehb.ini
C:\WINDOWS\system32\iwxrnwbh.exe
C:\WINDOWS\system32\jmapwosg.exe
C:\WINDOWS\system32\jrmwitid.dll
C:\WINDOWS\system32\lmueofot.exe
C:\WINDOWS\system32\nfanaqey.dll
C:\WINDOWS\system32\opnmmmj.dll
C:\WINDOWS\system32\prnugyio.dll
C:\WINDOWS\system32\qbtkpfci.exe
C:\WINDOWS\system32\qgekoete.exe
C:\WINDOWS\system32\qjfmcsmn.dll
C:\WINDOWS\system32\qkrmxbdd.ini
C:\WINDOWS\system32\rnkoasya.dll
C:\WINDOWS\system32\rqrqnnm.dll
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\srgootji.ini
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\uxwvw.ini
C:\WINDOWS\system32\uxwvw.ini2
C:\WINDOWS\system32\veepyowf.ini
C:\WINDOWS\system32\vpfsuqfo.exe
C:\WINDOWS\system32\vuvmvrho.exe
C:\WINDOWS\system32\wmkolaos.exe
C:\WINDOWS\system32\wvwxu.dll
C:\WINDOWS\system32\xfujicaa.dll
C:\WINDOWS\system32\yayaxvt.dll
C:\WINDOWS\Fonts\'

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Creati Da 2007-11-26 al 2007-12-26  )))))))))))))))))))))))))))))))))))
.

2007-12-22 19:22 . 2007-12-22 19:22   1,424   --a------   C:\WINDOWS\system32\host5.zip
2007-12-21 10:47 . 2007-07-30 19:19   207,736   --a------   C:\WINDOWS\system32\muweb.dll
2007-12-17 12:13 . 2007-12-17 12:13   <DIR>   d--------   C:\Programmi\Plant Tycoon
2007-12-17 10:51 . 2007-12-17 10:51   <DIR>   d--------   C:\Documents and Settings\Giorgia\Dati applicazioni\Home Sweet Home
2007-12-15 18:17 . 2007-12-15 18:17   876   --a------   C:\WINDOWS\$_hpcst$.hpc
2007-12-15 16:58 . 2007-12-15 16:58   147,456   --a------   C:\WINDOWS\system32\vbzip10.dll
2007-12-13 12:28 . 2007-12-13 12:28   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-13 12:28 . 2007-12-13 12:28   1,409   --a------   C:\WINDOWS\QTFont.for
2007-11-26 11:36 . 2007-11-27 18:58   <DIR>   d--------   C:\Documents and Settings\Giorgia\Dati applicazioni\Dcads Advanced Toolbar

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 15:33   ---------   d---a-w   C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-25 16:19   ---------   d-----w   C:\Programmi\eMule
2007-12-21 17:32   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\SolidDocuments
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-26 11:00   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\Adssite Advanced Toolbar
2007-11-12 17:57   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\MysteryStudio
2007-11-12 17:47   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\JollyBear
2007-11-10 12:21   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\Fugazo
2007-11-05 11:53   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\GameHouse
2007-11-05 11:53   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\n7-89-o9-3r-4t-r9
2007-11-05 08:53   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2007-10-29 12:23   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\Ohana Games
2007-10-29 11:33   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\ViquaSoft
2007-10-29 10:04   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\Lavasoft
2005-09-05 07:39   19,544   ----a-w   C:\Documents and Settings\Giorgia\Dati applicazioni\GDIPFONTCACHEV1.DAT
2004-11-22 16:00   5,547,008   ----a-w   C:\Programmi\pspf.msi
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
         C:\Programmi\ContextTool\ContextTool-2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7648AC4A-76F6-4d95-B2C4-F0DBD88E5DD5}]
2007-05-28 07:17   208384   --a------   C:\WINDOWS\system32\wmvploc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" []
"PcSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 13:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 04:05]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-10-25 18:58]
"DataLayer"="C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 10:31]
"PCSuiteTrayApplication"="C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 14:29]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"GrooveMonitor"="C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 23:39]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-09 09:44:23]
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2005-08-30 08:50:07]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Programmi\WinZip\WZQKPICK.EXE [2006-12-29 16:01:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

S0 ifgbsrci;ifgbsrci;C:\WINDOWS\system32\drivers\qvvrmqhq.sys []

.
Contenuto della cartella 'Scheduled Tasks'
"2007-10-29 12:48:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-12-26 17:12:31
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2007-12-26 17:15:18 - machine was rebooted

Fresh HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.22.21, on 26/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Programmi\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: PopBlocker Class - {7648AC4A-76F6-4d95-B2C4-F0DBD88E5DD5} - C:\WINDOWS\system32\wmvploc.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/wedding...sh.1.0.0.44.cab (http://\"http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

--
End of file - 6046 bytes

That's all.
Bye
Thanks

Title: Computer running very slow
Post by: guestolo on December 26, 2007, 12:08:38 PM

Still a bit of cleaning to do

Before we move on, can I see another log from hijackthis
Open Hijackthis>>>Click "Open Misc tools section">>Click "Open Uninstall manager">>
Click "Save list..."
you will be prompted to save the text file
Save it to your desktop then copy>paste back here the whole contents please

Title: Computer running very slow
Post by: joy on December 27, 2007, 06:47:32 AM

Here the logfile you need:

Access Gateway USB
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9 - Italiano
Aggiornamento della protezione per Windows Media Player  (KB911564)
Aggiornamento della protezione per Windows Media Player 10  (KB917734)
Aggiornamento della protezione per Windows Media Player 6.4  (KB925398)
Aggiornamento della protezione per Windows XP (KB890046)
Aggiornamento della protezione per Windows XP (KB893756)
Aggiornamento della protezione per Windows XP (KB896358)
Aggiornamento della protezione per Windows XP (KB896423)
Aggiornamento della protezione per Windows XP (KB896424)
Aggiornamento della protezione per Windows XP (KB896428)
Aggiornamento della protezione per Windows XP (KB899587)
Aggiornamento della protezione per Windows XP (KB899589)
Aggiornamento della protezione per Windows XP (KB899591)
Aggiornamento della protezione per Windows XP (KB900725)
Aggiornamento della protezione per Windows XP (KB901017)
Aggiornamento della protezione per Windows XP (KB901214)
Aggiornamento della protezione per Windows XP (KB902400)
Aggiornamento della protezione per Windows XP (KB905414)
Aggiornamento della protezione per Windows XP (KB905749)
Aggiornamento della protezione per Windows XP (KB908519)
Aggiornamento della protezione per Windows XP (KB911562)
Aggiornamento della protezione per Windows XP (KB911567)
Aggiornamento della protezione per Windows XP (KB911927)
Aggiornamento della protezione per Windows XP (KB912919)
Aggiornamento della protezione per Windows XP (KB913580)
Aggiornamento della protezione per Windows XP (KB914388)
Aggiornamento della protezione per Windows XP (KB914389)
Aggiornamento della protezione per Windows XP (KB917159)
Aggiornamento della protezione per Windows XP (KB917344)
Aggiornamento della protezione per Windows XP (KB917422)
Aggiornamento della protezione per Windows XP (KB917953)
Aggiornamento della protezione per Windows XP (KB918899)
Aggiornamento della protezione per Windows XP (KB919007)
Aggiornamento della protezione per Windows XP (KB920213)
Aggiornamento della protezione per Windows XP (KB920214)
Aggiornamento della protezione per Windows XP (KB920670)
Aggiornamento della protezione per Windows XP (KB920683)
Aggiornamento della protezione per Windows XP (KB920685)
Aggiornamento della protezione per Windows XP (KB921398)
Aggiornamento della protezione per Windows XP (KB921883)
Aggiornamento della protezione per Windows XP (KB922616)
Aggiornamento della protezione per Windows XP (KB922819)
Aggiornamento della protezione per Windows XP (KB923191)
Aggiornamento della protezione per Windows XP (KB923414)
Aggiornamento della protezione per Windows XP (KB923689)
Aggiornamento della protezione per Windows XP (KB923694)
Aggiornamento della protezione per Windows XP (KB923980)
Aggiornamento della protezione per Windows XP (KB924191)
Aggiornamento della protezione per Windows XP (KB924270)
Aggiornamento della protezione per Windows XP (KB924496)
Aggiornamento della protezione per Windows XP (KB925454)
Aggiornamento della protezione per Windows XP (KB925486)
Aggiornamento della protezione per Windows XP (KB926255)
Aggiornamento per Windows XP (KB894391)
Aggiornamento per Windows XP (KB898461)
Aggiornamento per Windows XP (KB900485)
Aggiornamento per Windows XP (KB908531)
Aggiornamento per Windows XP (KB910437)
Aggiornamento per Windows XP (KB911280)
Aggiornamento per Windows XP (KB916595)
Aggiornamento per Windows XP (KB920872)
Aggiornamento per Windows XP (KB922582)
Aggiornamento rapido per Windows XP - KB873339
Aggiornamento rapido per Windows XP - KB885835
Aggiornamento rapido per Windows XP - KB885836
Aggiornamento rapido per Windows XP - KB885884
Aggiornamento rapido per Windows XP - KB886185
Aggiornamento rapido per Windows XP - KB887472
Aggiornamento rapido per Windows XP - KB888302
Aggiornamento rapido per Windows XP - KB890859
Aggiornamento rapido per Windows XP - KB891781
Alice ti aiuta
Apple Software Update
avast! Antivirus
CleanUp!
C-Media WDM Audio Driver
Collins COBUILD on CD-ROM
Digital Camera Driver
eMule
EPSON PhotoQuicker3.2
Estensione HighMAT per Masterizzazione guidata CD di Microsoft Windows XP
Free PS Convert driver 8.15
HijackThis 2.0.2
Installazione Guidata Alice ADSL
Installazione Guidata di Alice
iTunes
Java(tm) 6 Update 2
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Italian Language Pack
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office 2003 - Componenti Web
Microsoft Office Access MUI (Italian) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Italian) 2007
Microsoft Office Groove MUI (Italian) 2007
Microsoft Office InfoPath MUI (Italian) 2007
Microsoft Office OneNote MUI (Italian) 2007
Microsoft Office Outlook MUI (Italian) 2007
Microsoft Office PowerPoint MUI (Italian) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (Italian) 2007
Microsoft Office Publisher MUI (Italian) 2007
Microsoft Office Shared MUI (Italian) 2007
Microsoft Office Word MUI (Italian) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
MSN Toolbar
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Nokia Connectivity Cable Driver
Nokia PC Suite
Panda ActiveScan
Pdf995
PDFCreator 0.8.0
QuickTime
Software per stampante EPSON
SolidConverterPDF
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Service Pack 2
WinZip

Bye

Title: Computer running very slow
Post by: guestolo on December 27, 2007, 10:53:05 AM

==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote

File::
C:\WINDOWS\system32\wmvploc.dll
C:\WINDOWS\system32\host5.zip
C:\WINDOWS\system32\vbzip10.dll
Folder::
C:\Programmi\ContextTool
C:\Documents and Settings\All Users\Dati applicazioni\n7-89-o9-3r-4t-r9
C:\Documents and Settings\Giorgia\Dati applicazioni\Adssite Advanced Toolbar
C:\Documents and Settings\Giorgia\Dati applicazioni\Dcads Advanced Toolbar
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7648AC4A-76F6-4d95-B2C4-F0DBD88E5DD5}]

Save this as txtfile on your desktop
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete

When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
I'll need to see that log again later

NEXT:
Do the following:
Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  

I'll need to see that report later

Post back all the following, even if it takes more than one reply to do so

1. Post the log from combofix >>C:\Combofix.txt
2. Post the report from SDFix>>Report.txt
3. Run a fresh Scan>>save logfile with Hijackthis and post it's log too


In addition:
The file may not exist, but I want to double check
go to this link

http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")

Use the browse button and navigate to the file on your harddrive
C:\WINDOWS\system32\drivers\qvvrmqhq.sys<-this file

Right click on the file,  and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results this scan back here please

Title: Computer running very slow
Post by: joy on December 27, 2007, 02:34:12 PM

Combofix last logfile:

ComboFix 07-12-26.4 - Giorgia 2007-12-27 19:35:26.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1040.18.61 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Giorgia\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Giorgia\Desktop\CFScript.txt
 * Creato nuovo punto di ripristino

FILE
C:\WINDOWS\system32\host5.zip
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wmvploc.dll
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Dati applicazioni\n7-89-o9-3r-4t-r9
C:\Documents and Settings\All Users\Dati applicazioni\n7-89-o9-3r-4t-r9\profile.ini
C:\Documents and Settings\Giorgia\Dati applicazioni\Adssite Advanced Toolbar
C:\Documents and Settings\Giorgia\Dati applicazioni\Adssite Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\Giorgia\Dati applicazioni\Adssite Advanced Toolbar\selected.xml
C:\Documents and Settings\Giorgia\Dati applicazioni\Dcads Advanced Toolbar
C:\Documents and Settings\Giorgia\Dati applicazioni\Dcads Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\Giorgia\Dati applicazioni\Dcads Advanced Toolbar\selected.xml
C:\WINDOWS\system32\host5.zip
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wmvploc.dll

.
(((((((((((((((((((((((((   Files Creati Da 2007-11-27 al 2007-12-27  )))))))))))))))))))))))))))))))))))
.

2007-12-21 10:47 . 2007-07-30 19:19   207,736   --a------   C:\WINDOWS\system32\muweb.dll
2007-12-17 12:13 . 2007-12-17 12:13   <DIR>   d--------   C:\Programmi\Plant Tycoon
2007-12-17 10:51 . 2007-12-17 10:51   <DIR>   d--------   C:\Documents and Settings\Giorgia\Dati applicazioni\Home Sweet Home
2007-12-15 18:17 . 2007-12-15 18:17   876   --a------   C:\WINDOWS\$_hpcst$.hpc
2007-12-13 12:28 . 2007-12-13 12:28   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-13 12:28 . 2007-12-13 12:28   1,409   --a------   C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 17:01   ---------   d-----w   C:\Programmi\eMule
2007-12-26 15:33   ---------   d---a-w   C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-21 17:32   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\SolidDocuments
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-11-12 17:57   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\MysteryStudio
2007-11-12 17:47   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\JollyBear
2007-11-10 12:21   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\Fugazo
2007-11-05 11:53   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\GameHouse
2007-11-05 08:53   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2007-10-29 12:23   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\Ohana Games
2007-10-29 11:33   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\ViquaSoft
2007-10-29 10:04   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\Lavasoft
2005-09-05 07:39   19,544   ----a-w   C:\Documents and Settings\Giorgia\Dati applicazioni\GDIPFONTCACHEV1.DAT
2004-11-22 16:00   5,547,008   ----a-w   C:\Programmi\pspf.msi
.

(((((((((((((((((((((((((((((   snapshot@2007-12-26_17.14.33.26   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-27 17:49:48   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_584.dat
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" []
"PcSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 13:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 04:05]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-10-25 18:58]
"DataLayer"="C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 10:31]
"PCSuiteTrayApplication"="C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 14:29]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"GrooveMonitor"="C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 23:39]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-09 09:44:23]
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2005-08-30 08:50:07]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Programmi\WinZip\WZQKPICK.EXE [2006-12-29 16:01:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

S0 ifgbsrci;ifgbsrci;C:\WINDOWS\system32\drivers\qvvrmqhq.sys []

.
Contenuto della cartella 'Scheduled Tasks'
"2007-10-29 12:48:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-12-27 19:39:32
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2007-12-27 19:40:55


SDFix report:

SDFix: Version 1.119

Run by Giorgia on 27/12/2007 at 19.56

Microsoft Windows XP [Versione 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\systime.exe  - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-12-27 20:09:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri  8 Sep 2006       154,624 A..HR --- "C:\Documents and Settings\Giorgia\Impostazioni locali\Temp\PXR3.tmp"

Finished!


Fresh HiJack logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.26.09, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/wedding...sh.1.0.0.44.cab (http://\"http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

--
End of file - 5800 bytes

I think it's all...
Oh,yes...I can't find the file you told me to scan in WINDOWS/system32 etc etc...

Thanx
Bye

Title: Computer running very slow
Post by: guestolo on December 27, 2007, 03:40:59 PM

Just some final steps

Delete cfscript.txt on desktop, we're going to do this step again in a bit

If you didn't purposely set IE home page to About:blank
Do a "System scan only" with Hijackthis and put a check next to this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote

File::
C:\WINDOWS\system32\drivers\qvvrmqhq.sys
C:\Documents and Settings\Giorgia\Impostazioni locali\Temp\PXR3.tmp
Driver::
ifgbsrci

Save this as txtfile on your desktop
CFScript

Temporarily disable Avasts protections by right clicking the Avast icon by the clock and select
"Stop On Access Protections"
Ok the prompt
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete

When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
I'll need to see that log again later

After reboot
I know you and I have ran this tool in the past
But I just want to ensure you don't have a certain rootkit on your system


Download the Gromozon Removal Tool (http://\"http://www.prevx.com/gromozon.asp\") by Prevx and save to desktop
Disable Avast protections again if reenabled
Launch the program and click Scan, if it locates an infection, it should tell you its going to reboot the machine and remove the infection.
Let the machine restart and wait for the tool to finish.
NOTE: If you are prompted to install PrevX trial version, select NO, it's not required!

Afterwards, can you post the following logs

1. Post one last fresh hijackthis log
2. Post the log again from Combofix>>C:\Combofix.txt
3. Post the log from Gromozon>>C:\Gromozon_Removal.log

In addition, please let me know how things are now running

Title: Computer running very slow
Post by: joy on December 28, 2007, 06:15:20 AM

Things are running very good,since yesterday!
Everything run normally!!!
Here they are the logs you asked me:

Combofix last log:

ComboFix 07-12-26.4 - Giorgia 2007-12-28 11.39.30.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1040.18.66 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Giorgia\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Giorgia\Desktop\CFScript.txt
 * Creato nuovo punto di ripristino

FILE
C:\Documents and Settings\Giorgia\Impostazioni locali\Temp\PXR3.tmp
C:\WINDOWS\system32\drivers\qvvrmqhq.sys
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Giorgia\Impostazioni locali\Temp\PXR3.tmp

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IFGBSRCI
-------\ifgbsrci


(((((((((((((((((((((((((   Files Creati Da 2007-11-28 al 2007-12-28  )))))))))))))))))))))))))))))))))))
.

2007-12-27 19:55 . 2007-12-27 19:55   <DIR>   d--------   C:\WINDOWS\ERUNT
2007-12-21 10:47 . 2007-07-30 19:19   207,736   --a------   C:\WINDOWS\system32\muweb.dll
2007-12-17 12:13 . 2007-12-17 12:13   <DIR>   d--------   C:\Programmi\Plant Tycoon
2007-12-17 10:51 . 2007-12-17 10:51   <DIR>   d--------   C:\Documents and Settings\Giorgia\Dati applicazioni\Home Sweet Home
2007-12-15 18:17 . 2007-12-15 18:17   876   --a------   C:\WINDOWS\$_hpcst$.hpc
2007-12-13 12:28 . 2007-12-13 12:28   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-13 12:28 . 2007-12-13 12:28   1,409   --a------   C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 17:01   ---------   d-----w   C:\Programmi\eMule
2007-12-26 15:33   ---------   d---a-w   C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-21 17:32   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\SolidDocuments
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-12 17:57   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\MysteryStudio
2007-11-12 17:47   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\JollyBear
2007-11-10 12:21   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\Fugazo
2007-11-05 11:53   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\GameHouse
2007-11-05 08:53   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2007-10-29 12:23   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\Ohana Games
2007-10-29 11:33   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\ViquaSoft
2007-10-29 10:04   ---------   d-----w   C:\Documents and Settings\Giorgia\Dati applicazioni\Lavasoft
2005-09-05 07:39   19,544   ----a-w   C:\Documents and Settings\Giorgia\Dati applicazioni\GDIPFONTCACHEV1.DAT
2004-11-22 16:00   5,547,008   ----a-w   C:\Programmi\pspf.msi
.

(((((((((((((((((((((((((((((   snapshot@2007-12-26_17.14.33.26   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-23 23:54:58   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-27 18:55:33   5,582,848   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-27 18:55:33   159,744   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-23 23:54:58   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-27 18:55:18   5,582,848   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-27 18:55:18   159,744   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-12-28 10:45:35   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_578.dat
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" []
"PcSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 13:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 04:05]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-10-25 18:58]
"DataLayer"="C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 10:31]
"PCSuiteTrayApplication"="C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 14:29]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"GrooveMonitor"="C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 23:39]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-09 09:44:23]
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2005-08-30 08:50:07]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Programmi\WinZip\WZQKPICK.EXE [2006-12-29 16:01:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"


.
Contenuto della cartella 'Scheduled Tasks'
"2007-10-29 12:48:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-12-28 11:46:20
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2007-12-28 11:49:30 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-27 19:40


Gromozon report:

Removal tool loaded into memory
Removing ADS stream: C:\:ntimaxp.gif:$DATA
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon Removed!

Last fresh Hijack logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.14.11, on 28/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/wedding...sh.1.0.0.44.cab (http://\"http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

--
End of file - 5722 bytes

I think it's all...
Thank you very much...Let me know if there's other things I have to do!
Thanx
Bye

Title: Computer running very slow
Post by: guestolo on December 28, 2007, 07:45:37 PM

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name and click Create
Windows will prompt when it was created successfully

When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning


Go ahead and delete the Gromozon tool from desktop
Just some final steps
Go to START>>RUN>>Copy then paste the next command below in bold
Then hit OK

combofix /u

This will uninstall combofix and it's components

Let's remove other tools we used earlier
Download this tool:
[color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  Click the Cleanup! button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Don't change anything in this list
  Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer, don't mouseclick during the wait as you may cause the tool to stall
  Select Yes to reboot Now
  

NOTE: This procedure will also delete OTMoveit.exe from desktop

Be sure to check for updates with Spywareblaster and select the enable all protections if there was an update
Also, check and download updates with Spybot 1.4,
Ensure to use the Immunize feature after every update
Simply click Immunize>>OK>>Immunize again at the top green cross

P.S> You mentioned this earlier

Quote

And,what's more,I've recently re-installed Avast for other 14months,because it has ran out.

There is really no need to uninstall and reinstall
Simply reregister the product after it is ready to expire
Here's the link, just keep it bookmarked
http://www.avast.com/eng/home-registration.php (http://\"http://www.avast.com/eng/home-registration.php\")
Look under>>I'm a registered user and my registration key has expired, I need a new one
They will email you a new activation key in email

Hope that helps  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Computer running very slow
Post by: joy on December 29, 2007, 06:17:12 AM

Oh,yes...about Avast...I've explained myself wrongly,I did exactly what you said,I did not re-installed,I just got a new key,but I was writing fast,so I wrote the first thing... /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
I did everything you asked me in your last message.
Everything is quite good...only a bit slower and more irregular than yesterday.
Maybe it because I was doing a lot of operation on it...I'll keep controlling it and if something still wrong,I will tell you!

Thank you by now!
Bye

Title: Computer running very slow
Post by: guestolo on December 29, 2007, 12:07:05 PM

.

Quote

I'll keep controlling it and if something still wrong,I will tell you!

Ok, I'll leave this topic open for a few days, let me know how it's running in a bit

Title: Computer running very slow
Post by: joy on January 05, 2008, 06:31:50 AM

Hi...I kept all controlled and fortunately everything's going very well...
Just one thing: usually I browsed explorer through an automatic pop-up window, I used to push "connect" or "ok"...I don't remeber...but it was all automatic.
Now I have to connect myself into the connections folder...
Let me know...
Thanx
Bye

Title: Computer running very slow
Post by: joy on January 05, 2008, 06:37:29 AM

Hi...As I kept all controlled, everything's going very well!

Just one thing: I usually connected myself/browse internet explore through an automatic pop-up window, cheking/pushig "connect" or "ok" (something like this)...Now I have to go into the connections folder and do the connection process there...
Let me know...
Thank you
Bye!

Title: Computer running very slow
Post by: guestolo on January 05, 2008, 01:19:36 PM

I remember we went through this before

Here's what I mentioned

Quote

Also, for auto dial on ADSL
Can you check your connection
In Internet Explorer, click on TOOLS>>Internet Options>>Connections tab
Under Dial up settings select your account
Ensure that "Dial whenever a network connection is not present" is selected
Apply and ok out of there

See if that helps

Did that help before?

Title: Computer running very slow
Post by: joy on January 07, 2008, 12:10:01 PM

Yes,yes...we went through it before,but I didn't remember how to deal with this problem.
I will save your last post so I can use it, in the case...
Thanx...Now everything is going perfectly!
Thank you so much!
Bye

Title: Computer running very slow
Post by: guestolo on January 07, 2008, 07:32:49 PM

Good work, since your problems appear resolved
I'll lock this topic, take care Joy  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />