1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Weird dialer

Discussion in 'Virus & Other Malware Removal' started by oikset, Jul 27, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. oikset

    oikset Thread Starter

    Joined:
    Nov 14, 2005
    Messages:
    24
    I got a dialer installed on my pc. It won't leave. It keeps on filling my windows/temp folder with temp files (such as idd7B.tmp) that even when I erase them they come back.
    Then, once in a while the actual dialer pops up asking me to connect and tries to dial-up, but of course I have ADSL so nothing happens. THe thing stays in the system tray, and I have to turn it off.
    I don't know if this is related, but once in a while, every half-hour or so, if im listening to audio (or watching video) the sound lags...it stutters, sounds metallic for a 1 second interval every 4 seconds....this episode lasts about 2 minutes....
    like i sadi i dont know if it's related...but it started happening as soon as this stupid dialer came into play.

    mm.
     
  2. ozrom1e

    ozrom1e

    Joined:
    May 15, 2006
    Messages:
    11,849
    I think your computer has an infection and the best way to find it out is by doing a HijackThis, please follow the instructions that follow:

    To download HJTsetup.exe To Download HijackThis go to the following: http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
    Filename = 1137518044HJTsetup.exe
    Save the file to your desktop.
    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\HijackThis.
    Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialog box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
    Open a TechSupportGuy forum Reply window for this thread, to have ready to paste the Hijackthis log into. Click once to place the typing cursor in the reply window.
    At the top of your TSG/browser window, hit Edit then Paste
    You should see your copied Hijackthis log appear in the reply space....then, submit the reply
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. oikset

    oikset Thread Starter

    Joined:
    Nov 14, 2005
    Messages:
    24
    Hi.
    Thanks.
    This is the Hijackthis logfile. "Programmi" is Program files in italian. It's an italian pc, cuz I happen to work here.


    Logfile of HijackThis v1.99.1
    Scan saved at 16.38.43, on 27/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
    C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
    C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\PROGRA~1\FILECO~1\Stardock\SDMCP.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    C:\Programmi\Norton Internet Security\ISSVC.exe
    C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Programmi\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
    C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\ATK0100\HControl.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\Programmi\ASUS\Wireless Console\wcourier.exe
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
    C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programmi\File comuni\Real\Update_OB\realsched.exe
    C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\Programmi\MessengerPlus! 3\MsgPlus.exe
    C:\Programmi\Google\Gmail Notifier\gnotify.exe
    C:\Programmi\iTunes\iTunesHelper.exe
    C:\Programmi\QuickTime\qttask.exe
    C:\Programmi\iPod\bin\iPodService.exe
    C:\Programmi\Folder Crypto Password\fppservice.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\Rainlendar\Rainlendar.exe
    C:\Programmi\Konfabulator\Konfabulator.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\Programmi\Konfabulator\Konfabulator.exe
    C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Programmi\Mozilla Firefox\firefox.exe
    C:\Programmi\iTunes\iTunes.exe
    C:\WINDOWS\TEMP\win11B.tmp.exe
    C:\HIJKTHS\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {066AC5B3-5687-B616-78EC-F8CB2211F7C6} - C:\DOCUME~1\teskio\DATIAP~1\SHOWDOG\burn army.exe (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Programmi\Popup Manager\PopupMgr_1.0.2.1P.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
    O4 - HKLM\..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM\..\Run: [Wireless Console] C:\Programmi\ASUS\Wireless Console\wcourier.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd
    O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Bat Send Stupid Deaf] C:\Documents and Settings\All Users\Dati applicazioni\memomfcdbatsend\bore log.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmi\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [FCPAgent] C:\Programmi\Folder Crypto Password\fppservice.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [FACE DELETE] C:\DOCUME~1\teskio\DATIAP~1\DrawCopy\bendamenball.exe
    O4 - HKCU\..\Run: [Google Desktop for OE] "C:\Programmi\Google\Google Desktop Search\GDS for OE\gdsoe.exe" install
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
    O4 - Startup: Rainlendar.lnk = C:\Programmi\Rainlendar\Rainlendar.exe
    O4 - Startup: Konfabulator.lnk = C:\Programmi\Konfabulator\Konfabulator.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FILECO~1\Stardock\mcpstub.dll
    O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
    O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi and welcome to TSG!!

    Your post has been moved to the Security Forum.

    Download Findlop by Metallica.
    http://metallica.geekstogo.com/findlop.zip

    Unzip it to your desktop.
    Double click findlop.bat.
    A Notepad file will open.
    Copy the content of that file and paste it into your reply to this thread.
     
  5. oikset

    oikset Thread Starter

    Joined:
    Nov 14, 2005
    Messages:
    24
    [TRACE] Enumerating jobs and queues
    [TRACE] Activating job 'Symantec NetDetect.job'
    [TRACE] Printing all job properties

    ApplicationName: 'C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE'
    Parameters: ''
    WorkingDirectory: 'C:\Programmi\Symantec\LiveUpdate'
    Comment: 'Symantec NetDetect'
    Creator: 'teskio'
    Priority: NORMAL
    MaxRunTime: 259200000 (3d 0:00:00)
    IdleWait: 10
    IdleDeadline: 60
    MostRecentRun: 07/27/2006 15:58:00
    NextRun: 07/27/2006 19:58:00
    StartError: S_OK
    ExitCode: 0
    Status: SCHED_S_TASK_READY
    ScheduledWorkItem Flags:
    DeleteWhenDone = 0
    Suspend = 0
    StartOnlyIfIdle = 0
    KillOnIdleEnd = 0
    RestartOnIdleResume = 0
    DontStartIfOnBatteries = 0
    KillIfGoingOnBatteries = 0
    RunOnlyIfLoggedOn = 1
    SystemRequired = 0
    Hidden = 0
    TaskFlags: 0

    1 Trigger

    Trigger 0:
    Type: Daily
    DaysInterval: 1
    StartDate: 07/27/2006
    EndDate: 00/00/0000
    StartTime: 19:58
    MinutesDuration: 1440
    MinutesInterval: 240
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0


    [TRACE] Activating job 'A89D80D6913E30CE.job'
    [TRACE] Printing all job properties

    ApplicationName: 'c:\docume~1\teskio\datiap~1\drawcopy\flap sect download.exe'
    Parameters: ''
    WorkingDirectory: ''
    Comment: ''
    Creator: 'teskio'
    Priority: NORMAL
    MaxRunTime: 259200000 (3d 0:00:00)
    IdleWait: 10
    IdleDeadline: 60
    MostRecentRun: 11/11/2005 15:00:00
    NextRun: 07/27/2006 17:00:00
    StartError: 0x80070002
    ExitCode: 0
    Status: SCHED_S_TASK_READY
    ScheduledWorkItem Flags:
    DeleteWhenDone = 0
    Suspend = 0
    StartOnlyIfIdle = 0
    KillOnIdleEnd = 0
    RestartOnIdleResume = 0
    DontStartIfOnBatteries = 0
    KillIfGoingOnBatteries = 0
    RunOnlyIfLoggedOn = 1
    SystemRequired = 0
    Hidden = 1
    TaskFlags: 0

    1 Trigger

    Trigger 0:
    Type: Daily
    DaysInterval: 1
    StartDate: 02/02/1998
    EndDate: 00/00/0000
    StartTime: 00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Copy and paste the text from the quote box to an empty file in Notepad.
    Save the file as fix.bat, Save as type: All files.
    Save it to your desktop.
    Doubleclick fix.bat on your desktop.
    A DOS box should open and close quickly, this is normal.


    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {066AC5B3-5687-B616-78EC-F8CB2211F7C6} - C:\DOCUME~1\teskio\DATIAP~1\SHOWDOG\burn army.exe (file missing)
    O4 - HKLM\..\Run: [Bat Send Stupid Deaf] C:\Documents and Settings\All Users\Dati applicazioni\memomfcdbatsend\bore log.exe

    Close all applications and browser windows before you click "fix checked".



    Please download Webroot SpySweeper from here: http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

    (It's a 2 week trial.)

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.

    Also post a new Hijack This log.
     
  7. oikset

    oikset Thread Starter

    Joined:
    Nov 14, 2005
    Messages:
    24
    22.38: The Spy Communication shield has blocked access to: HERE4SEARCH.BIZ
    22.38: The Spy Communication shield has blocked access to: HERE4SEARCH.BIZ
    22.38: The Spy Communication shield has blocked access to: SMART-SECURITY.BIZ
    22.38: The Spy Communication shield has blocked access to: SMART-SECURITY.BIZ
    22.37: Removal process completed. Elapsed time 00.00.02
    22.37: Quarantining All Traces: trojan agent winlogonhook
    22.37: Removal process initiated
    22.34: The Spy Communication shield has blocked access to: HERE4SEARCH.BIZ
    22.34: The Spy Communication shield has blocked access to: HERE4SEARCH.BIZ
    22.34: The Spy Communication shield has blocked access to: SMART-SECURITY.BIZ
    22.34: The Spy Communication shield has blocked access to: SMART-SECURITY.BIZ
    22.03: Traces Found: 1
    22.03: Full Sweep has completed. Elapsed time 01.26.05
    22.03: File Sweep Complete, Elapsed Time: 01.24.07
    21.59: Warning: Failed to access drive H:
    21.59: Warning: Failed to access drive G:
    21.59: Warning: Failed to access drive F:
    21.26: Warning: Failed to open file "c:\documents and settings\teskio\dati applicazioni\mozilla\firefox\profiles\k8uy828a.default\parent.lock". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\teskio\impostazioni locali\dati applicazioni\microsoft\windows\usrclass.dat.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\teskio\impostazioni locali\dati applicazioni\microsoft\windows\usrclass.dat". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\teskio\ntuser.dat". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\teskio\ntuser.dat.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\localservice\dati applicazioni\webroot\spy sweeper\data\settings.dat". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\localservice\impostazioni locali\dati applicazioni\microsoft\windows\usrclass.dat". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\localservice\impostazioni locali\dati applicazioni\microsoft\windows\usrclass.dat.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\microsoft\windows\usrclass.dat". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\networkservice\impostazioni locali\dati applicazioni\microsoft\windows\usrclass.dat.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.22: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.05: Warning: Failed to open file "c:\windows\system32\catroot2\tmp.edb". Impossibile accedere al file. Il file è utilizzato da un altro processo
    21.05: Warning: Failed to open file "c:\windows\system32\catroot2\edb.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\drivers\atapi.sys". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\sam". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\system". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\software". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\security". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\default". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\security.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\sam.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\default.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\software.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.51: Warning: Failed to open file "c:\windows\system32\config\system.log". Impossibile accedere al file. Il file è utilizzato da un altro processo
    20.39: Starting File Sweep
    20.39: Warning: Failed to open file "c:\pagefile.sys". Accesso negato
    20.39: Cookie Sweep Complete, Elapsed Time: 00.00.00
    20.39: Starting Cookie Sweep
    20.39: Registry Sweep Complete, Elapsed Time:00.00.09
    20.38: HKLM\software\microsoft\mssmgr\ (ID = 937101)
    20.38: Found Trojan Horse: trojan agent winlogonhook
    20.38: Starting Registry Sweep
    20.38: Memory Sweep Complete, Elapsed Time: 00.01.46
    20.37: Warning: TVolume.Read: read past end of volume size: 0 reading cluster: 0
    20.37: Starting Memory Sweep
    20.37: Sweep initiated using definitions version 728
    20.37: Spy Sweeper 5.0.5.1286 started
    20.37: | Start of Session, giovedì 27 luglio 2006 |
    ********
    20.37: | End of Session, giovedì 27 luglio 2006 |
    20.36: Your spyware definitions have been updated.
    20.33: The Spy Communication shield has blocked access to: SMART-SECURITY.BIZ
    20.33: The Spy Communication shield has blocked access to: HERE4SEARCH.BIZ
    20.33: The Spy Communication shield has blocked access to: HERE4SEARCH.BIZ
    20.33: The Spy Communication shield has blocked access to: SMART-SECURITY.BIZ
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    20.30: Shield States
    20.30: Spyware Definitions: 691
    20.30: Spy Sweeper 5.0.5.1286 started
    20.30: Spy Sweeper 5.0.5.1286 started
    20.30: | Start of Session, giovedì 27 luglio 2006 |
    ********



    ------------------------------------


    Logfile of HijackThis v1.99.1
    Scan saved at 22.39.55, on 27/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
    C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
    C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\PROGRA~1\FILECO~1\Stardock\SDMCP.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    C:\Programmi\Norton Internet Security\ISSVC.exe
    C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Programmi\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
    C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\ATK0100\HControl.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\Programmi\ASUS\Wireless Console\wcourier.exe
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programmi\File comuni\Real\Update_OB\realsched.exe
    C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programmi\MessengerPlus! 3\MsgPlus.exe
    C:\Programmi\Google\Gmail Notifier\gnotify.exe
    C:\Programmi\iTunes\iTunesHelper.exe
    C:\Programmi\QuickTime\qttask.exe
    C:\Programmi\iPod\bin\iPodService.exe
    C:\Programmi\Folder Crypto Password\fppservice.exe
    C:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\Rainlendar\Rainlendar.exe
    C:\Programmi\Konfabulator\Konfabulator.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\Programmi\Konfabulator\Konfabulator.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Programmi\Real\RealPlayer\RealPlay.exe
    C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\TEMP\win7A.tmp.exe
    C:\WINDOWS\TEMP\idd10C.tmp.exe
    C:\HIJKTHS\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Programmi\Popup Manager\PopupMgr_1.0.2.1P.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
    O4 - HKLM\..\Run: [Power_Gear] "C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe" 1
    O4 - HKLM\..\Run: [Wireless Console] "C:\Programmi\ASUS\Wireless Console\wcourier.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd
    O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Programmi\Google\Gmail Notifier\gnotify.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [FCPAgent] "C:\Programmi\Folder Crypto Password\fppservice.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [FACE DELETE] C:\DOCUME~1\teskio\DATIAP~1\DrawCopy\bendamenball.exe
    O4 - HKCU\..\Run: [Google Desktop for OE] "C:\Programmi\Google\Google Desktop Search\GDS for OE\gdsoe.exe" install
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
    O4 - Startup: Rainlendar.lnk = C:\Programmi\Rainlendar\Rainlendar.exe
    O4 - Startup: Konfabulator.lnk = C:\Programmi\Konfabulator\Konfabulator.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FILECO~1\Stardock\mcpstub.dll
    O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
    O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
    ---------------------------------

    it still seems to pop up though...
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log
     
  9. oikset

    oikset Thread Starter

    Joined:
    Nov 14, 2005
    Messages:
    24
    unfortunately the avenger logfile comes out empty.....
    im posting another hijackthis...

    Logfile of HijackThis v1.99.1
    Scan saved at 23.49.54, on 27/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
    C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
    C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\PROGRA~1\FILECO~1\Stardock\SDMCP.exe
    C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    C:\Programmi\Norton Internet Security\ISSVC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Programmi\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
    C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\ATK0100\HControl.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\Programmi\ASUS\Wireless Console\wcourier.exe
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
    C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\Programmi\File comuni\Real\Update_OB\realsched.exe
    C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programmi\MessengerPlus! 3\MsgPlus.exe
    C:\Programmi\Google\Gmail Notifier\gnotify.exe
    C:\Programmi\iTunes\iTunesHelper.exe
    C:\Programmi\QuickTime\qttask.exe
    C:\Programmi\Folder Crypto Password\fppservice.exe
    C:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\iPod\bin\iPodService.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\Programmi\Rainlendar\Rainlendar.exe
    C:\Programmi\Konfabulator\Konfabulator.exe
    C:\Programmi\Konfabulator\Konfabulator.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Programmi\Mozilla Firefox\firefox.exe
    C:\HIJKTHS\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Programmi\Popup Manager\PopupMgr_1.0.2.1P.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
    O4 - HKLM\..\Run: [Power_Gear] "C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe" 1
    O4 - HKLM\..\Run: [Wireless Console] "C:\Programmi\ASUS\Wireless Console\wcourier.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd
    O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Programmi\Google\Gmail Notifier\gnotify.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [FCPAgent] "C:\Programmi\Folder Crypto Password\fppservice.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [FACE DELETE] C:\DOCUME~1\teskio\DATIAP~1\DrawCopy\bendamenball.exe
    O4 - HKCU\..\Run: [Google Desktop for OE] "C:\Programmi\Google\Google Desktop Search\GDS for OE\gdsoe.exe" install
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
    O4 - Startup: Rainlendar.lnk = C:\Programmi\Rainlendar\Rainlendar.exe
    O4 - Startup: Konfabulator.lnk = C:\Programmi\Konfabulator\Konfabulator.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FILECO~1\Stardock\mcpstub.dll
    O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
    O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run Avenger again with this script.

    I'm having a language problem here with reading some of the logs or reports so please keep that in mind as I try to help you with this. ;)

    Download Ewido anti-spyware from HERE and save that file to your desktop.

    This is a 30 day trial of the program
    1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run ewido and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
    2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions"
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.


    Post a new HijackThis log and the log from Ewido.
     
  11. oikset

    oikset Thread Starter

    Joined:
    Nov 14, 2005
    Messages:
    24
    sorry, was on business trip, it seems like the dialer no longer pops up.
    However spy sweeper detects the presence of a few spyware in the bkgrd.
    Tomorrow morning i will run Ewido and post hijackthis log to check and see.
    Thanks all.

    m.
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    No problem! (y)
     
  13. oikset

    oikset Thread Starter

    Joined:
    Nov 14, 2005
    Messages:
    24
    avenger seemed to work.
    I have no more problems of this dialer.
    Thanks much for your help, really appreciate it.
    Would like to donate, and will do so as soon as I get home.

    thanks!
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Great! Please let me know if you have any problems.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Weird dialer
  1. spoonthumb
    Replies:
    9
    Views:
    513
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/486816

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice