1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan adware.w32.exp.dwnldr and UltimateDefender

Discussion in 'Virus & Other Malware Removal' started by lazzaro, Jul 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. lazzaro

    lazzaro Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    6
    I think my computer (Windows XP) was infected by those two virus.... Usually it is protected by SpyDoctor (I bought it and renewed it every year!!!)

    I follow your instructioins in different posts, downloaded Spyboot, Ccleaner, Ad-Aware, and now have more anti-virus on my computer than hair on my head; but the problem still exists.

    I have a fake windows security alert, than explore is launched and it start to download exe form the net....
    and everithing is deadly slow and it is impossible to work.

    This is my Hijack file

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12.03.59, on 10/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\lxctcoms.exe
    C:\Programmi\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\bak\EM_EXEC.EXE
    C:\Programmi\Lexmark 5400 Series\lxctmon.exe
    C:\Programmi\Lexmark 5400 Series\ezprint.exe
    C:\Programmi\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Programmi\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\Outlook Express\msimn.exe
    C:\Documents and Settings\lay principale\Desktop\iexplore.exe
    C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\explorer.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [lxctmon.exe] "C:\Programmi\Lexmark 5400 Series\lxctmon.exe"
    O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Programmi\Lexmark 5400 Series\fm3032.exe" /s
    O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 5400 Series\ezprint.exe"
    O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,[email protected]
    O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
    O4 - Startup: .protected
    O4 - Global Startup: .protected
    O4 - Global Startup: Desktop Manager.lnk = C:\Programmi\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.planetis.com/it
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
    O17 - HKLM\System\CS1\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: msddx - {AEDBED08-5EEB-4555-BF03-D95E98DB6478} - C:\WINDOWS\msddx.dll
    O21 - SSODL: msqnx - {BCDE187C-A1DA-4585-8A64-D59BB9C64578} - C:\WINDOWS\msqnx.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Programmi\FileMaker\FileMaker Server Trial 5.5\Fmserver.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    --
    Is thjere anything i can do? I am really thinking of re-inizialize my computer... Yhanks
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
    ======================

    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This will take some time!!!!!!!!
     
  3. lazzaro

    lazzaro Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    6
    Thanks very uch for your prompt reply.

    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Next, please reboot your computer in Safe Mode by doing the following :
    Restart your computer
    After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    Instead of Windows loading as normal, a menu with options should appear;
    Select the first option, to run Windows in Safe Mode, then press "Enter".
    Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.[/HTML]


    I have done all the above, but when launching SmitFraudFix I have got this message : impossible to find the file "C:\Documents and Settings\lay principale\DEsktop\SmitFraudFix\SmitFraudFix.cmd PLease verify the path and the name of the file...."

    WHAT SHOULD I DO?
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go back and carefully read the instructions - yo did not extract all files to the folder and run from there
     
  5. lazzaro

    lazzaro Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    6
    Thanks for your patience: I am beginner, but not stupid.

    I have downloaded the file from the link above.
    I have saved the zip on the desktop, then have extract all the files (there are 13 files in the zip and 13 inthe new folder)
    In security mode, i open the new folder and double click on the SmitfraudFix.cmd.
    I have done it TWICE but always the same message: impossible to find the file. Please verify....

    I have tried to do the same in nomal mode, ans also there the message is the same. Ands the programe don't run....

    WHAT ELSE CAN I DO?

    Please help me, as you are very professional and helpful....

    Thanks Lazzaro

    P.S. On my desktop, every tuime that i open the computer there are three likk to "Error Cleaner", "Privacy Protector" and Spyware Protection" the same pages that my esplorer open quthomatically (or by order of the virus). CAN THIS ALSO AVOID ME OPENING THE SMITFRAUDFIX file?
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Run the second half of my first post - SAS
     
  7. lazzaro

    lazzaro Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    6
    I will do it tomorrow....

    I have just noticed that on my menu there is not the "Comand promt" and wheni run an exe, or a DOS rograme it always give me the usual alert (Thisa file doesnt existe. plese check the path...")

    Maybe this is the casue of the problem.... How can i manage that? THank
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  9. lazzaro

    lazzaro Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    6
    First things first!

    1. I have done the Superspyantiware
    2. I have done the Hijack This
    3. I have run the XP Fix (the cmd.exe file in the Windows/system32 directory was issing...)
    4. I have done the SmitfraudFix

    Here the results:
    SUPERSPYANTIWARE

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/11/2007 at 06:39 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3266
    Trace Rules Database Version: 1277

    Scan type : Complete Scan
    Total Scan Time : 05:29:20

    Memory items scanned : 366
    Memory threats detected : 0
    Registry items scanned : 4024
    Registry threats detected : 0
    File items scanned : 63174
    File threats detected : 14

    Adware.Tracking Cookie
    C:\Documents and Settings\lay principale\Cookies\[email protected][2].txt

    Desktop Hijacker.AboutYourPrivacy
    C:\Documents and Settings\lay principale\Desktop\Error Cleaner.url
    C:\Documents and Settings\lay principale\Desktop\Privacy Protector.url
    C:\Documents and Settings\lay principale\Desktop\Spyware&Malware Protection.url
    C:\Documents and Settings\lay principale\Preferiti\Error Cleaner.url
    C:\Documents and Settings\lay principale\Preferiti\Privacy Protector.url
    C:\Documents and Settings\lay principale\Preferiti\Spyware&Malware Protection.url
    C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\IMAGES\CAPT.GIF
    C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\IMAGES\DANGER.JPG
    C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\IMAGES\DOWN.GIF
    C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\INDEX.HTM

    Malware.Ultimate Defender
    C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMPORARY INTERNET FILES\CONTENT.IE5\21O8AQTL\UDEFENDER_SETUP[1].EXE

    Trojan.Net-MSV/VPS-G
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182564.DLL

    Trojan.Downloader-Gen/AVP
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182565.EXE
    *******

    HIJACK THIS

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11.21.29, on 11/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\lxctcoms.exe
    C:\Programmi\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Programmi\Lexmark 5400 Series\lxctmon.exe
    C:\Programmi\Lexmark 5400 Series\ezprint.exe
    C:\Programmi\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Programmi\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
    C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [lxctmon.exe] "C:\Programmi\Lexmark 5400 Series\lxctmon.exe"
    O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Programmi\Lexmark 5400 Series\fm3032.exe" /s
    O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 5400 Series\ezprint.exe"
    O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,[email protected]
    O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
    O4 - Startup: .protected
    O4 - Global Startup: .protected
    O4 - Global Startup: Desktop Manager.lnk = C:\Programmi\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.planetis.com/it
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: msddx - {AEDBED08-5EEB-4555-BF03-D95E98DB6478} - C:\WINDOWS\msddx.dll
    O21 - SSODL: msqnx - {BCDE187C-A1DA-4585-8A64-D59BB9C64578} - C:\WINDOWS\msqnx.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Programmi\FileMaker\FileMaker Server Trial 5.5\Fmserver.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    --
    End of file - 6314 bytes
    ******
    SMITFRAUD

    SmitFraudFix v2.202

    Scan done at 12.42.38,34, 11/07/2007
    Run from C:\Documents and Settings\lay principale\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    *****

    THE COMPUTER NOW sems not to be infected (there are no all the tedious pop up and fake alert, at least) but it is very slow...

    Any other suggestions?

    Thanks very much
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    · Restart your computer
    · After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    · Instead of Windows loading as normal, the Advanced Options Menu should appear;
    · Select the first option, to run Windows in Safe Mode, then press Enter.
    · Choose your usual account.
    · Open the extracted SDFix folder and double click RunThis.bat to start the script.
    · Type Y to begin the cleanup process.
    · It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    · Press any Key and it will restart the PC.
    · When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    · Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    · Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  11. lazzaro

    lazzaro Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    6
    It works but deadly slow!

    This is SDFIX:

    SDFix: Version 1.90

    Run by lay principale on 11/07/2007 at 22.52

    Microsoft Windows XP [Versione 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:






    Restoring Windows Registry Values
    Restoring Windows Default Hosts File
    Restoring Missing Security Center Service

    Rebooting...


    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\Documents and Settings\lay principale\Desktop\CARTELLE\vale\Privacy Protector.url - Deleted
    C:\Documents and Settings\lay principale\Dati applicazioni\Install.dat - Deleted
    C:\DOCUME~1\LAYPRI~1\IMPOST~1\Temp\abc123.pid - Deleted
    C:\WINDOWS\dat.txt - Deleted
    C:\WINDOWS\rs.txt - Deleted
    C:\WINDOWS\rundll32.exe - Deleted



    Removing Temp Files...

    ADS Check:

    Checking C:\WINDOWS
    C:\WINDOWS
    No streams found.

    Checking C:\WINDOWS\system32
    C:\WINDOWS\system32
    No streams found.

    Checking C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    No streams found.

    Checking C:\WINDOWS\system32\ntoskrnl.exe
    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Programmi\\Skype\\Phone\\Skype.exe"="C:\\Programmi\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
    "C:\\Programmi\\Messenger\\msmsgs.exe"="C:\\Programmi\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Programmi\\Real\\RealPlayer\\realplay.exe"="C:\\Programmi\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
    "C:\\WINDOWS\\system32\\lxctcoms.exe"="C:\\WINDOWS\\system32\\lxctcoms.exe:*:Enabled:Lexmark Communications System"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182559.dll
    C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182555.exe
    C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182556.exe
    C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182557.exe
    C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182558.exe
    C:\WINDOWS\system\svcinit.exe
    C:\WINDOWS\system\TAPICFG.EXE
    C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP448\A0182181.sys
    C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP448\A0182219.sys
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL1832.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL2305.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL3034.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL3253.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0004.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0005.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0006.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0306.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0368.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0474.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0640.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0789.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0862.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0907.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0961.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1084.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1099.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1121.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1272.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1305.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1471.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1589.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1615.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1697.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1813.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1919.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1926.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1970.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2002.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2086.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2271.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2298.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2399.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2400.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2499.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2537.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2628.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2636.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2688.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2803.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2822.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2916.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2941.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3285.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3292.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3337.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3362.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3451.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3478.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3635.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3663.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3677.tmp
    C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3721.tmp
    C:\Documents and Settings\lay principale\Desktop\CARTELLE\LAZZARO\LOSI\LOSI\~WRL0001.tmp

    Finished
    ******

    THis is HIJACKTHIS
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 0.14.34, on 12/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\lxctcoms.exe
    C:\Programmi\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Programmi\Lexmark 5400 Series\lxctmon.exe
    C:\Programmi\Lexmark 5400 Series\ezprint.exe
    C:\Programmi\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Programmi\Skype\Plugin Manager\skypePM.exe
    C:\Programmi\Outlook Express\msimn.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\Internet Explorer\IEXPLORE.EXE
    C:\apps\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [lxctmon.exe] "C:\Programmi\Lexmark 5400 Series\lxctmon.exe"
    O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Programmi\Lexmark 5400 Series\fm3032.exe" /s
    O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 5400 Series\ezprint.exe"
    O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,[email protected]
    O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
    O4 - Global Startup: Desktop Manager.lnk = C:\Programmi\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.planetis.com/it
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
    O17 - HKLM\System\CS1\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Programmi\FileMaker\FileMaker Server Trial 5.5\Fmserver.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    --
    End of file - 5803 bytes



    What else? Thanks Lazzaro
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/593941

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice