Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Pending] HJT Logs » Avira Antivir Warn

[Pending] HJT Logs - Avira Antivir Warn posted in the Security & Safety forums; Hello everyone! I have Avira Premium Security Antivirus, and warn sequentially for the presence of these Trojan: c:\windows\svchost.exe trojan horse TR/Drop.SMall.apl C:\host.exe trojan horse TR/Drop.SMall.apl C:\windows\system32\temp1.exe backdoors programm BDS/Small.LO C:\windows\system32\temp2.exe ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 06-20-2008
gonny's Avatar
Bronze Member
  
Join Date: May 2007
Posts: 13
gonny - See this Members User comments on their Profile page
Red face Avira Antivir Warn
Hello everyone!
I have Avira Premium Security Antivirus, and warn sequentially for the presence of these Trojan:

c:\windows\svchost.exe
trojan horse TR/Drop.SMall.apl

C:\host.exe
trojan horse TR/Drop.SMall.apl

C:\windows\system32\temp1.exe
backdoors programm BDS/Small.LO

C:\windows\system32\temp2.exe
backdoor server program BDS/Small.LO

And I cannot quarantine svchost.exe because is generic hosts program end my internet connection (maybe was infected).
Other trojan host.exe, temp1.exe, temp2.exe creating continually every time I delete or move to quarantine.
Any help?
  #2  
Old 06-20-2008
D__'s Avatar
D__ D__ is offline
Moderator
My PC
 
Join Date: Oct 2007
Location: Isle Of Wight
Posts: 1,028
PC Experience: Some Experience
D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page
Default Re: Avira Antivir Warn
Hi, I suggest you follow the Prework (link in my signature) and post back with the relevant logs and one of our security team will be able to help you

D


  #3  
Old 06-20-2008
gonny's Avatar
Bronze Member
  
Join Date: May 2007
Posts: 13
gonny - See this Members User comments on their Profile page
Default Re: Avira Antivir Warn
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.50.37, on 21/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\xampp\mysql\bin\winmysqladmin.exe
C:\Programmi\Avira\Avira Premium Security Suite\sched.exe
C:\Programmi\xampp\apache\bin\apache.exe
C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\xampp\mysql\bin\mysqld-nt.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe
C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Programmi\Avira\Avira Premium Security Suite\GUARDGUI.EXE
C:\Programmi\Visicom Media\AceFTP 3 Pro\aceftp3.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Internet Download Manager\IDMan.exe
C:\Programmi\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\Veriu\Documenti\Downloads\Programs\HiJack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Programmi\Internet Download Manager\IDMIECC.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301. 7164\swg.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\Programmi\xampp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all links with IDM - C:\Programmi\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Programmi\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Programmi\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Programmi\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Programmi\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58415E2B-A355-47F0-9416-D45233382057}: NameServer = 213.230.155.94 213.230.130.222
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programmi\xampp\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mysql - Unknown owner - C:\Programmi\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\wltrysvc.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Programmi\xampp\service.exe
--
End of file - 11315 bytes


Last edited by Pancake; 06-21-2008 at 02:08 AM. Reason: Code removed...
  #4  
Old 06-21-2008
D__'s Avatar
D__ D__ is offline
Moderator
My PC
 
Join Date: Oct 2007
Location: Isle Of Wight
Posts: 1,028
PC Experience: Some Experience
D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page D__ - See this Members User comments on their Profile page
Default Re: Avira Antivir Warn
Thanks gonny

I have moved this thread to the [New] Hijackthis! Logs forum and one of our security staff will check it as soon as they can

Thank you for your patience

D


  #5  
Old 06-21-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,856
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Avira Antivir Warn
Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #6  
Old 06-21-2008
gonny's Avatar
Bronze Member
  
Join Date: May 2007
Posts: 13
gonny - See this Members User comments on their Profile page
Default Re: Avira Antivir Warn
ComboFix 08-06-20.4 - Veriu 2008-06-21 18.16.19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.431 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Veriu\Documenti\Downloads\Programs\ComboF ix.exe
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
C:\autorun.inf
C:\WINDOWS\autorun.inf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\_004753_.tmp.dll
C:\WINDOWS\system32\_004754_.tmp.dll
C:\WINDOWS\system32\_004755_.tmp.dll
C:\WINDOWS\system32\_004756_.tmp.dll
C:\WINDOWS\system32\_004763_.tmp.dll
C:\WINDOWS\system32\_004764_.tmp.dll
C:\WINDOWS\system32\_004765_.tmp.dll
C:\WINDOWS\system32\_004766_.tmp.dll
C:\WINDOWS\system32\_004768_.tmp.dll
C:\WINDOWS\system32\_004769_.tmp.dll
C:\WINDOWS\system32\_004772_.tmp.dll
C:\WINDOWS\system32\_004773_.tmp.dll
C:\WINDOWS\system32\_004775_.tmp.dll
C:\WINDOWS\system32\_004776_.tmp.dll
C:\WINDOWS\system32\_004777_.tmp.dll
C:\WINDOWS\system32\_004779_.tmp.dll
C:\WINDOWS\system32\_004782_.tmp.dll
C:\WINDOWS\system32\_004783_.tmp.dll
C:\WINDOWS\system32\_004787_.tmp.dll
C:\WINDOWS\system32\_004788_.tmp.dll
C:\WINDOWS\system32\_004790_.tmp.dll
C:\WINDOWS\system32\_004793_.tmp.dll
C:\WINDOWS\system32\_004795_.tmp.dll
C:\WINDOWS\system32\_004796_.tmp.dll
C:\WINDOWS\system32\_004797_.tmp.dll
C:\WINDOWS\system32\_004798_.tmp.dll
C:\WINDOWS\system32\_004799_.tmp.dll
C:\WINDOWS\system32\_004802_.tmp.dll
C:\WINDOWS\system32\_004803_.tmp.dll
C:\WINDOWS\system32\_004804_.tmp.dll
C:\WINDOWS\system32\_004805_.tmp.dll
C:\WINDOWS\system32\_004806_.tmp.dll
C:\WINDOWS\system32\_004811_.tmp.dll
C:\WINDOWS\system32\_004813_.tmp.dll
C:\WINDOWS\system32\_004814_.tmp.dll
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\temp2.exe
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Creati Da 2008-05-21 al 2008-06-21 )))))))))))))))))))))))))))))))))))
.
2008-06-20 00:00 . 2008-06-20 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Documenti
2008-06-19 21:42 . 2008-06-20 22:22 <DIR> d-------- C:\Documents and Settings\Veriu\Dati applicazioni\Premium Security Suite
2008-06-19 21:37 . 2008-06-19 21:37 <DIR> d-------- C:\Programmi\Avira
2008-06-19 21:37 . 2008-06-19 21:53 71,592 --a------ C:\WINDOWS\system32\drivers\avfwot.sys
2008-06-19 21:37 . 2008-06-19 21:53 71,464 --a------ C:\WINDOWS\system32\drivers\avfwim.sys
2008-06-17 09:06 . 2007-04-19 07:29 450,560 -ra------ C:\WINDOWS\system32\drivers\WlanUZXP.sys
2008-06-14 00:24 . 2008-06-14 00:24 20 --a------ C:\WINDOWS\TemplateWizard.INI
2008-06-10 19:36 . 2008-06-14 19:32 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 19:31 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-07 21:10 . 2008-06-07 21:10 230,424 --a------ C:\img1-001.raw
2008-06-04 19:38 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-04 19:38 . 2007-03-08 07:11 1,032,192 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-04 19:38 . 2008-04-23 06:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-04 19:38 . 2008-04-23 06:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-04 19:38 . 2008-04-23 06:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-04 19:38 . 2008-04-23 06:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-04 19:38 . 2008-04-23 06:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-04 19:38 . 2008-04-22 09:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-04 19:37 . 2008-04-23 06:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 19:27 . 2008-04-13 19:13 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-06-03 19:27 . 2008-04-13 19:13 94,208 -----c--- C:\WINDOWS\system32\dllcache\ehituner.dll
2008-06-03 19:27 . 2008-04-13 18:53 92,672 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-06-03 19:26 . 2008-06-03 19:26 <DIR> d-------- C:\WINDOWS\system32\it
2008-06-03 19:26 . 2008-04-13 19:14 380,928 --a------ C:\WINDOWS\system32\irprops.cpl
2008-06-03 19:15 . 2008-04-13 09:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-06-03 19:14 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\000001_.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2008-06-21 16:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\DMCache
2008-06-20 16:06 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Avira
2008-06-17 23:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Sites
2008-06-17 23:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\SiteClasses
2008-06-16 22:20 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\CyberLink
2008-06-14 17:32 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 21:56 --------- d-----w C:\Programmi\eMule
2008-06-03 17:48 --------- d-----w C:\Programmi\Java
2008-06-01 17:03 --------- d-----w C:\Programmi\DEI_POS_IIED
2008-05-22 17:17 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\HP
2008-05-20 18:09 --------- d-----w C:\Programmi\GRAFILL
2008-05-20 18:09 --------- d-----w C:\Programmi\File comuni\Borland Shared
2008-05-18 15:11 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Ulead Systems
2008-05-18 15:05 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Ulead Systems
2008-05-18 14:41 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\InstallShield
2008-05-18 14:39 --------- d-----w C:\Programmi\File comuni\InterVideo
2008-05-18 14:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InterVideo
2008-05-18 14:38 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-05-18 14:37 --------- d-----w C:\Programmi\Windows Media Components
2008-05-18 14:37 --------- d-----w C:\Programmi\File comuni\Ulead Systems
2008-05-18 14:36 --------- d-----w C:\Programmi\Ulead Systems
2008-05-18 14:11 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-18 14:11 290,816 ------w C:\WINDOWS\Setup1.exe
2008-05-18 08:42 --------- d-----w C:\Programmi\File comuni\snpstd
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 20:09 --------- d-----w C:\Programmi\Total Video Converter
2008-05-04 21:20 --------- d-----w C:\Programmi\DriverGuide DriverScan
2008-05-04 20:24 --------- d-----w C:\Programmi\Creative
2008-05-04 13:50 --------- d-----w C:\Programmi\Windows Live
2008-05-04 13:49 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2008-05-04 13:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2008-05-04 09:17 --------- d-----w C:\Programmi\OO Software
2008-05-04 09:06 --------- d-----w C:\Programmi\Google
2008-05-03 00:03 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\CyberLink
2008-05-03 00:01 --------- d-----w C:\Programmi\File comuni\CyberLink
2008-05-03 00:00 --------- d-----w C:\Programmi\CyberLink
2008-05-01 18:16 --------- d-----w C:\Programmi\Hewlett-Packard
2008-05-01 17:42 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HP
2008-05-01 17:01 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Hewlett-Packard
2008-05-01 16:49 --------- d-----w C:\Programmi\HP
2008-05-01 16:49 --------- d-----w C:\Programmi\File comuni\HP
2008-05-01 16:46 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HPSSUPPLY
2008-05-01 16:45 --------- d-----w C:\Programmi\File comuni\Hewlett-Packard
2008-05-01 15:53 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Creative
2008-05-01 15:53 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Creative
2008-04-29 20:45 --------- d-----w C:\Programmi\Sportello Unico Immigrazione
2008-04-25 13:53 --------- d-----w C:\Programmi\xampp
2008-04-25 12:10 --------- d-----w C:\Programmi\Zend
2008-04-23 08:18 --------- d-----w C:\Programmi\File comuni\Java
2008-04-13 17:14 769,024 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
2008-04-13 17:14 744,448 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
2008-04-13 17:14 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-13 17:14 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-13 17:14 286,720 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-13 17:14 18,432 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe
2008-04-13 17:14 172,032 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-04-13 17:14 151,552 ----a-w C:\WINDOWS\regedit.exe
2008-04-13 17:14 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-13 17:14 1,036,288 ----a-w C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\G oogleToolbarNotifier.exe" [2008-05-06 19:23 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-27 21:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 11:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Programmi\Synaptics\SynTP\SynTPLpr. exe" [2003-11-20 10:19 98304]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh. exe" [2003-11-20 10:18 499712]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 09:41 88363 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Programmi\ltmoh\Ltmoh.exe" [2003-04-28 09:08 184320]
"BluetoothAuthenticationAgent"="bthprops.cpl,,Blue toothAuthenticationAgent" []
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_0 5\bin\jusched.exe" [2008-02-22 04:25 144784]
"OODefragTray"="C:\WINDOWS\system32\oodtray.ex e" [2007-05-11 02:08 2512392]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720]
"avgnt"="C:\Programmi\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-19 21:53 262401]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:14 15360]
"DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-13 16:38 39264]
C:\Documents and Settings\Veriu\Menu Avvio\Programmi\Esecuzione automatica\
WinMySQLadmin.lnk - C:\Programmi\xampp\mysql\bin\winmysqladmin.exe [2005-04-04 18:41:28 936448]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\FILECO~1\ULEADS~1\MPEG\ulmp3acm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine]
--------- 2006-08-16 01:12 24576 C:\Programmi\Creative\Creative Live! Cam\VideoFX\StartFX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
C:\Programmi\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler]
C:\Programmi\Creative\Shared Files\CTSched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:14 1695232 C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 11:36 50472 C:\Programmi\CyberLink\PowerDVD8\Language\Language .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
--------- 2008-03-20 20:23 83240 C:\Programmi\CyberLink\PowerDVD8\PDVD8Serv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--------- 2007-07-23 13:55 341232 C:\Programmi\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Programmi\\IncrediMail\\bin\\IncMail.exe" =
"C:\\Programmi\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Namo\\WebEditor 2006 Trial\\bin\\WebEditor.exe"=
R1 avfwot;avfwot;C:\WINDOWS\system32\DRIVERS\avfwot.s ys [2008-06-19 21:53]
R2 AntiVirFirewallService;Avira Premium Security Suite Firewall;"C:\Programmi\Avira\Avira Premium Security Suite\avfwsvc.exe" [2008-06-19 21:53]
R2 AntiVirMailService;Avira Premium Security Suite MailGuard;"C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe" [2008-06-19 21:53]
R2 antivirwebservice;Avira Premium Security Suite WebGuard;"C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE" [2008-06-19 21:53]
R2 Apache2.2;Apache2.2;"C:\Programmi\xampp\apache\bin \apache.exe" -k runservice []
R2 AVEService;Avira Premium Security Suite MailGuard helper service;"C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe" [2008-06-19 21:53]
R3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [2008-06-19 21:53]
R3 XG762_XP;CONITECH 802.11g XG762N Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2007-04-19 07:29]
S2 XAMPP;XAMPP Service;C:\Programmi\xampp\service.exe [2006-10-23 16:24]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contenuto della cartella 'Scheduled Tasks'
"2008-06-21 16:31:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programmi\Windows Defender\MpCmdRun.exe
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 18:28:40
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programmi\Avira\Avira Premium Security Suite\sched.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe
C:\Programmi\xampp\mysql\bin\mysqld-nt.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqste08.exe
.
************************************************** ************************
.
Ora fine scansione: 2008-06-21 18:34:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 16:34:43
8 Directory 65,427,496,960 byte disponibili
12 Directory 66,332,180,480 byte disponibili
280 --- E O F --- 2008-06-20 23:02:15


(((((((Altre eliminazioni))))))))= Other removals

My OS is in Italian I think is not a problem for you...
Note:
I think there are some changes in Windows registry because after my Antivir has delete C:\copy.exe (detected as trojan) and when I double click in C:\ unit show me a warn like "cannot find copy.exe ....ect" but if I right click in C:\ and select Open, I can open.


Last edited by Pancake; 06-21-2008 at 11:35 PM. Reason: Copied and pasted for better viewing....

Reply
New! Norton Internet Security 2008 – Download Now Click Here
Page 1 of 2 1 2 >

Bookmarks

Tags
antivir , avira , warn

« cpu usage 100% | Laptop running extremely slow »
Thread Tools
Display Modes
Linear Mode Linear Mode