1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: problems with redirected hosts - hijt file to log

Discussion in 'Virus & Other Malware Removal' started by epis777, Jan 16, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    after using registry mechanic 3.03 (for deleting the bad key command) in HKLM ... [Themes] [see before] this is the output produced this morning by find.it

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Windows\system32

    ------- System Files in System32 Directory -------
    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    10/01/2005 12.26 <DIR> dllcache
    30/05/2004 11.31 <DIR> Microsoft
    20/03/2001 22.04 244.232 Msflxgrd.ocx
    1 File 244.232 byte
    2 Directory 6.074.241.024 byte disponibili

    ------- Hidden Files in System32 Directory -------

    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    10/01/2005 12.26 <DIR> dllcache
    24/11/2004 21.37 24.175 ATMitaxx.GID
    30/05/2004 18.32 <DIR> GroupPolicy
    19/09/2001 06.46 488 logonui.exe.manifest
    19/09/2001 06.46 488 WindowsLogon.manifest
    19/09/2001 06.45 749 nwc.cpl.manifest
    19/09/2001 06.45 749 sapi.cpl.manifest
    19/09/2001 06.45 749 ncpa.cpl.manifest
    19/09/2001 06.45 749 cdplayer.exe.manifest
    19/09/2001 06.45 749 wuaucpl.cpl.manifest
    8 File 28.896 byte
    2 Directory 6.074.241.024 byte disponibili

    ---------- Files Named "Guard" -------------

    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    16/01/2005 20.06 223.126 guard.tmp
    1 File 223.126 byte
    0 Directory 6.074.236.928 byte disponibili

    --------- Temp Files in System32 Directory --------

    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    16/01/2005 20.06 223.126 guard.tmp
    11/08/2004 01.38 253.688 setb0.tmp
    11/08/2004 01.38 253.688 setb1.tmp
    30/08/2001 17.00 2.885 CONFIG.TMP
    4 File 733.387 byte
    0 Directory 6.074.232.832 byte disponibili

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTServ]
    "DLLName"="C:\\Programmi\\File comuni\\Logitech\\Bluetooth\\lbtserv.dll"
    "Startup"="OnWlxStartup"
    "Logon"="OnWlxLogon"
    "Logoff"="OnWlxLogoff"
    "StartShell"="OnWlxStartShell"
    "Asynchronous"=dword:00000000

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ------------------ Locate.com Results ------------------

    C:\WINDOWS\SYSTEM32\
    atmitaxx.gid Wed 24 Nov 2004 21.37.44 A..H. 24.175 23,61 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 24.175 bytes 23,61 K

    ------------ Strings.exe Qoologic Results ------------

    C:\WINDOWS\system32\pav.sig: Qoologic
    C:\WINDOWS\system32\pav.sig: Qoologic

    -------------- Strings.exe Aspack Results -------------

    C:\WINDOWS\system32\ntdll.dll: .aspack
    C:\WINDOWS\system32\pav.sig: AsPack

    ----------------- HKLM Run Key ------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AtiPTA"="atiptaxx.exe"
    "eabconfg.cpl"="C:\\Programmi\\Compaq\\EAB\\EabServr.exe /Start"
    "Cpqset"="c:\\compaq\\cpqsetup\\cpqset.exe"
    "MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
    "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
    "VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
    "VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
    "Share-to-Web Namespace Daemon"="C:\\Programmi\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
    "HP Network Registry Agent"="C:\\Windows\\System32\\hpnra.exe"
    "HP Status"="C:\\Windows\\System32\\hpstatus.exe"
    "HP Proxy Server"="C:\\Programmi\\Hewlett-Packard\\ProxyService\\ProxyService.lnk"
    "hkss"="C:\\Programmi\\Compaq\\Hotkey Software\\hkss.exe"
    "TkBellExe"="\"C:\\Programmi\\File comuni\\Real\\Update_OB\\realsched.exe\" -osboot"
    "MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~2\\MpfTray.exe"
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
    "LTWinModem1"="ltmsg.exe 9"
    "gcasServ"="\"C:\\Programmi\\Microsoft AntiSpyware\\gcasServ.exe\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,116
    I am attaching a fix2.zip file to this post. Download fix2.zip to your desktop and unzip it.

    IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

    Double click on the fix2.reg file to enter into the registry. Answer yes when asked to have its contents added to the registry.

    Double-click on Killbox.exe to run it. Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confirmation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\Windows\System32\guard.tmp

    Note: If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

    Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

    Next run VX2Finder and click the "Restore Policy" button.

    Now restart your computer.

    Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

    Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
     
  3. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    As 2 days ago find.bat did not find any files and did not produced any output.txt file, instead produced some of the files than are summarized in output.txt, precisely:

    guard.txt

    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    18/01/2005 12.39 56 guard.tmp
    1 File 56 byte
    0 Directory 6.062.149.632 byte disponibili

    header.txt

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\Paolo Petrucciani\Desktop\Find It NT-2K-XP

    haeder.txtheader.txt (empty)

    hidden.txt

    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    10/01/2005 12.26 <DIR> dllcache
    24/11/2004 21.37 24.175 ATMitaxx.GID
    30/05/2004 18.32 <DIR> GroupPolicy
    19/09/2001 06.46 488 logonui.exe.manifest
    19/09/2001 06.46 488 WindowsLogon.manifest
    19/09/2001 06.45 749 nwc.cpl.manifest
    19/09/2001 06.45 749 sapi.cpl.manifest
    19/09/2001 06.45 749 ncpa.cpl.manifest
    19/09/2001 06.45 749 cdplayer.exe.manifest
    19/09/2001 06.45 749 wuaucpl.cpl.manifest
    8 File 28.896 byte
    2 Directory 6.062.153.728 byte disponibili

    notify.txt

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTServ]
    "DLLName"="C:\\Programmi\\File comuni\\Logitech\\Bluetooth\\lbtserv.dll"
    "Startup"="OnWlxStartup"
    "Logon"="OnWlxLogon"
    "Logoff"="OnWlxLogoff"
    "StartShell"="OnWlxStartShell"
    "Asynchronous"=dword:00000000

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    system.txt

    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    10/01/2005 12.26 <DIR> dllcache
    30/05/2004 11.31 <DIR> Microsoft
    20/03/2001 22.04 244.232 Msflxgrd.ocx
    1 File 244.232 byte
    2 Directory 6.062.153.728 byte disponibili

    temp.txt

    Il volume nell'unit… C Š Epistema
    Numero di serie del volume: DC1D-C128

    Directory di C:\Windows\System32

    18/01/2005 12.39 56 guard.tmp
    11/08/2004 01.38 253.688 setb0.tmp
    11/08/2004 01.38 253.688 setb1.tmp
    30/08/2001 17.00 2.885 CONFIG.TMP
    4 File 510.317 byte
    0 Directory 6.062.145.536 byte disponibili

    useragent.txt

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    locate.txt


    C:\WINDOWS\SYSTEM32\
    atmitaxx.gid Wed 24 Nov 2004 21.37.44 A..H. 24.175 23,61 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 24.175 bytes 23,61 K

    ------------ Strings.exe Qoologic Results ------------

    aspack.txt (empty)

    qoologic.txt

    C:\WINDOWS\system32\pav.sig: Qoologic
    C:\WINDOWS\system32\pav.sig: Qoologic

    runkey.txt (empty)


    what do you suggest ? the PC is working fine (no more problems, it seems !!)

    thanks for your help
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,116
    Double-click on Killbox.exe to run it. Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confirmation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\Windows\System32\guard.tmp

    Note: If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

    Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

    Next run VX2Finder and click the "Restore Policy" button.

    Now restart your computer.

    Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.
     
  5. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    I followed your procedure but the problem is the same.
    Find.bat says that "cannot find the specified path" (when running the second part of the batch: strings.exe).
    The output.txt is not generated entirely (only some files), probably because the file missing to be generated (runkey.txt) does not find correct address in the
    registry key.

    Actually this key appear in the registry as:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] (19 january 05)

    where the first time (16 january 05) was:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{13793AE1-3BD6-41E4-9E6F-4993A9A0757B}"=""

    Anyway the PC works correctly without problems.
     
  6. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    Anyway I attach my last hijthis file log

    Logfile of HijackThis v1.99.0
    Scan saved at 12.05.05, on 19/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\spoolsv.exe
    C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    C:\Windows\System32\hpb2ksrv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
    C:\Windows\system32\svchost.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
    C:\Windows\system32\atiptaxx.exe
    C:\Programmi\Compaq\EAB\EabServr.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Windows\System32\hpnra.exe
    C:\Windows\System32\hpstatus.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Programmi\Java\j2re1.4.1_07\bin\javaw.exe
    C:\Programmi\Compaq\Hotkey Software\hkss.exe
    C:\Programmi\File comuni\Real\Update_OB\realsched.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
    C:\Windows\system32\ltmsg.exe
    C:\Windows\system32\ctfmon.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Programmi\Netscape\Netscp.exe
    C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
    C:\Programmi\Logitech2\SetPoint\SetPoint.exe
    C:\Programmi\File comuni\Logitech\KHAL\KHALMNPR.EXE
    C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
    C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Programmi\MemoKit\memokit2.exe
    C:\Programmi\Microsoft Office\Office10\msoffice.exe
    C:\Windows\System32\HPBSPSVR.EXE
    C:\Windows\System32\HPBJDSNT.EXE
    C:\Windows\System32\svchost.exe
    C:\Documents and Settings\Paolo Petrucciani\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = DeleteDesktopShortCut: (AlwaysDelete) C:\Windows\PCHEALTH\HELPCTR\System\panels\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\Windows\System32\hpnra.exe
    O4 - HKLM\..\Run: [HP Status] C:\Windows\System32\hpstatus.exe
    O4 - HKLM\..\Run: [HP Proxy Server] C:\Programmi\Hewlett-Packard\ProxyService\ProxyService.lnk
    O4 - HKLM\..\Run: [hkss] C:\Programmi\Compaq\Hotkey Software\hkss.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programmi\Netscape\Netscp.exe" -turbo
    O4 - Startup: Gozilla.lnk = ?
    O4 - Startup: MemoKit.lnk = C:\Programmi\MemoKit\mk.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech2\SetPoint\SetPoint.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
    O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra button: Connector - {FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} - C:\Windows\System32\shdocvw.dll
    O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {3A471221-E332-4240-A709-C6D087007ADE} - http://www.secretwindow.biz/mio_privato/toccami.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs8b.instantservice.com/jars/customerxsigned41.cab
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-it/itp/games26.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4419/mcfscan.cab
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.wizz.it/exe/607008.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB1E9EF5-902F-4A19-ABAD-D3733C2F222B}: NameServer = 151.99.125.2,151.99.250.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\Windows\system32\btxppanel.dll
    O18 - Filter: text/html - {EAEC3861-06F4-4C4D-BA7C-54B7FFFD047B} - C:\Documents and Settings\Paolo Petrucciani\Impostazioni locali\Dati applicazioni\microsoft\internet explorer\V0.26.dat
    O23 - Service: Ati HotKey Poller - Unknown - C:\Windows\System32\Ati2evxx.exe
    O23 - Service: Bluetooth Service - Broadcom Corporation - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    O23 - Service: Remote Diagnostics Enabling Agent - Hewlett Packard - C:\Windows\Cpqdiag\Cpqdfwag.exe
    O23 - Service: HP Status - Hewlett-Packard Company - C:\Windows\System32\hpb2ksrv.exe
    O23 - Service: HP Status Print - Unknown - C:\Windows\System32\hpbhksrv.exe
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,116
    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = DeleteDesktopShortCut: (AlwaysDelete) C:\Windows\PCHEALTH\HELPCTR\System\panels\blank.htm

    O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab

    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-it/itp/games26.cab

    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.wizz.it/exe/607008.exe

    O18 - Filter: text/html - {EAEC3861-06F4-4C4D-BA7C-54B7FFFD047B} - C:\Documents and Settings\Paolo Petrucciani\Impostazioni locali\Dati applicazioni\microsoft\internet explorer\V0.26.dat


    In safe mode, I want you to see if you can locate this file. Let me know.

    C:\Windows\System32\guard.tmp

    Please download and run the following program(s):

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.


    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log.
     
  8. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    A week ago I installed Microsoft Antispyware beta1, released recently.

    Before your last reply I used this software to put some correction in action.

    Before we go further with your advise, it is better that you see my new hijt log file

    Logfile of HijackThis v1.99.0
    Scan saved at 20.16.25, on 20/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\spoolsv.exe
    C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    C:\Windows\System32\hpb2ksrv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\atiptaxx.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
    C:\Programmi\Compaq\EAB\EabServr.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Windows\System32\hpnra.exe
    C:\Windows\System32\hpstatus.exe
    C:\Programmi\Java\j2re1.4.1_07\bin\javaw.exe
    C:\Programmi\Compaq\Hotkey Software\hkss.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
    C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
    C:\Windows\system32\ltmsg.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Windows\system32\ctfmon.exe
    C:\Programmi\Netscape\Netscp.exe
    C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
    C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
    C:\Windows\System32\HPBSPSVR.EXE
    C:\Windows\System32\HPBJDSNT.EXE
    C:\Programmi\Logitech2\SetPoint\SetPoint.exe
    C:\Programmi\File comuni\Logitech\KHAL\KHALMNPR.EXE
    C:\Programmi\Microsoft Office\Office10\msoffice.exe
    C:\Programmi\MemoKit\memokit2.exe
    C:\Windows\system32\taskmgr.exe
    C:\Windows\System32\svchost.exe
    C:\Documents and Settings\Paolo Petrucciani\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\Windows\System32\hpnra.exe
    O4 - HKLM\..\Run: [HP Status] C:\Windows\System32\hpstatus.exe
    O4 - HKLM\..\Run: [HP Proxy Server] C:\Programmi\Hewlett-Packard\ProxyService\ProxyService.lnk
    O4 - HKLM\..\Run: [hkss] C:\Programmi\Compaq\Hotkey Software\hkss.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programmi\Netscape\Netscp.exe" -turbo
    O4 - Startup: MemoKit.lnk = C:\Programmi\MemoKit\mk.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech2\SetPoint\SetPoint.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
    O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4419/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB1E9EF5-902F-4A19-ABAD-D3733C2F222B}: NameServer = 151.99.125.2,151.99.250.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\Windows\system32\btxppanel.dll
    O18 - Filter: text/html - {EAEC3861-06F4-4C4D-BA7C-54B7FFFD047B} - C:\Documents and Settings\Paolo Petrucciani\Impostazioni locali\Dati applicazioni\microsoft\internet explorer\V0.26.dat
    O23 - Service: Ati HotKey Poller - Unknown - C:\Windows\System32\Ati2evxx.exe
    O23 - Service: Bluetooth Service - Broadcom Corporation - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    O23 - Service: Remote Diagnostics Enabling Agent - Hewlett Packard - C:\Windows\Cpqdiag\Cpqdfwag.exe
    O23 - Service: HP Status - Hewlett-Packard Company - C:\Windows\System32\hpb2ksrv.exe
    O23 - Service: HP Status Print - Unknown - C:\Windows\System32\hpbhksrv.exe
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,116
    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    O18 - Filter: text/html - {EAEC3861-06F4-4C4D-BA7C-54B7FFFD047B} - C:\Documents and Settings\Paolo Petrucciani\Impostazioni locali\Dati applicazioni\microsoft\internet explorer\V0.26.dat


    In safe mode, I want you to see if you can locate this file. Let me know.

    C:\Windows\System32\guard.tmp

    Please download and run the following program(s):

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.


    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log.
     
  10. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    Yes, booting in safe mode I can locate the guard.tmp file.

    Now I go for the other antispyware.
     
  11. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    Cookie, the situation is this:

    Run adware Se and spybot (they recovered some situation in registry).

    Find.bat cannot produce again the output.txt file entirely (missing always runkey.txt).

    Here is the last hijt file log

    Logfile of HijackThis v1.99.0
    Scan saved at 1.43.03, on 21/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\atiptaxx.exe
    C:\Programmi\Compaq\EAB\EabServr.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Windows\System32\hpnra.exe
    C:\Windows\System32\hpstatus.exe
    C:\Programmi\Java\j2re1.4.1_07\bin\javaw.exe
    C:\Programmi\Compaq\Hotkey Software\hkss.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
    C:\Windows\system32\ltmsg.exe
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Windows\system32\ctfmon.exe
    C:\Programmi\Netscape\Netscp.exe
    C:\Programmi\Logitech2\SetPoint\SetPoint.exe
    C:\Programmi\MemoKit\memokit2.exe
    C:\Programmi\Microsoft Office\Office10\msoffice.exe
    C:\Programmi\File comuni\Logitech\KHAL\KHALMNPR.EXE
    C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Windows\System32\HPBSPSVR.EXE
    C:\Windows\System32\HPBJDSNT.EXE
    C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    C:\Windows\System32\hpb2ksrv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
    C:\Windows\system32\svchost.exe
    C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
    C:\Windows\system32\wuauclt.exe
    C:\Documents and Settings\Paolo Petrucciani\Desktop\HijackThis.exe
    C:\Windows\System32\svchost.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\Windows\System32\hpnra.exe
    O4 - HKLM\..\Run: [HP Status] C:\Windows\System32\hpstatus.exe
    O4 - HKLM\..\Run: [HP Proxy Server] C:\Programmi\Hewlett-Packard\ProxyService\ProxyService.lnk
    O4 - HKLM\..\Run: [hkss] C:\Programmi\Compaq\Hotkey Software\hkss.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programmi\Netscape\Netscp.exe" -turbo
    O4 - Startup: MemoKit.lnk = C:\Programmi\MemoKit\mk.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech2\SetPoint\SetPoint.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4419/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB1E9EF5-902F-4A19-ABAD-D3733C2F222B}: NameServer = 151.99.125.2,151.99.250.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0116B821-9EF9-4A77-A731-E4C7F28B24C4}: NameServer = 151.99.125.1,151.99.250.2
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\Windows\system32\btxppanel.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\Windows\System32\Ati2evxx.exe
    O23 - Service: Bluetooth Service - Broadcom Corporation - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    O23 - Service: Remote Diagnostics Enabling Agent - Hewlett Packard - C:\Windows\Cpqdiag\Cpqdfwag.exe
    O23 - Service: HP Status - Hewlett-Packard Company - C:\Windows\System32\hpb2ksrv.exe
    O23 - Service: HP Status Print - Unknown - C:\Windows\System32\hpbhksrv.exe
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe

    Moreover in the last 2 restart I have lost some 5 or 6 tray icons (bluetooth, anti spyware, energy, safely removing hardware, sound, logitech mouse, etc.)

    More suggestions ?
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,116
    It's possible that the Microsoft tool took off some stuff it shouldn't have. I'm not familiar with it yet so don't know how good it is, although I'm hearing it is promising.

    In any event , we need to get rid of the guard.tmp file. Try again to delete it with Killbox, then reboot and see if you can still find it.
     
  13. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    sorry, I post it my output in another thread.
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,116
    O.K. Were you able to get rid of that file?
     
  15. epis777

    epis777 Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    25
    After a couple of time yes. The second one I put a tick on "delete" (in Killbox) because the first the file was always there (in system32).
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/319918

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice