Pending: Avira Antivir Warn

gonny · 06-20-2008

Hello everyone!
I have Avira Premium Security Antivirus, and warn sequentially for the presence of these Trojan:

c:\windows\svchost.exe
trojan horse TR/Drop.SMall.apl

C:\host.exe
trojan horse TR/Drop.SMall.apl

C:\windows\system32\temp1.exe
backdoors programm BDS/Small.LO

C:\windows\system32\temp2.exe
backdoor server program BDS/Small.LO

And I cannot quarantine svchost.exe because is generic hosts program end my internet connection (maybe was infected).
Other trojan host.exe, temp1.exe, temp2.exe creating continually every time I delete or move to quarantine.
Any help?

D__ · 06-20-2008

Hi, I suggest you follow the Prework (link in my signature) and post back with the relevant logs and one of our security team will be able to help you

D

gonny · 06-20-2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.50.37, on 21/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\xampp\mysql\bin\winmysqladmin.exe
C:\Programmi\Avira\Avira Premium Security Suite\sched.exe
C:\Programmi\xampp\apache\bin\apache.exe
C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\xampp\mysql\bin\mysqld-nt.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe
C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Programmi\Avira\Avira Premium Security Suite\GUARDGUI.EXE
C:\Programmi\Visicom Media\AceFTP 3 Pro\aceftp3.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Internet Download Manager\IDMan.exe
C:\Programmi\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\Veriu\Documenti\Downloads\Programs\HiJack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Programmi\Internet Download Manager\IDMIECC.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301. 7164\swg.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\Programmi\xampp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all links with IDM - C:\Programmi\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Programmi\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Programmi\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Programmi\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Programmi\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58415E2B-A355-47F0-9416-D45233382057}: NameServer = 213.230.155.94 213.230.130.222
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programmi\xampp\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mysql - Unknown owner - C:\Programmi\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\wltrysvc.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Programmi\xampp\service.exe
--
End of file - 11315 bytes

D__ · 06-21-2008

Thanks gonny

I have moved this thread to the [New] Hijackthis! Logs forum and one of our security staff will check it as soon as they can

Thank you for your patience

D

Pancake · 06-21-2008

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

gonny · 06-21-2008

ComboFix 08-06-20.4 - Veriu 2008-06-21 18.16.19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.431 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Veriu\Documenti\Downloads\Programs\ComboF ix.exe
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
C:\autorun.inf
C:\WINDOWS\autorun.inf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\_004753_.tmp.dll
C:\WINDOWS\system32\_004754_.tmp.dll
C:\WINDOWS\system32\_004755_.tmp.dll
C:\WINDOWS\system32\_004756_.tmp.dll
C:\WINDOWS\system32\_004763_.tmp.dll
C:\WINDOWS\system32\_004764_.tmp.dll
C:\WINDOWS\system32\_004765_.tmp.dll
C:\WINDOWS\system32\_004766_.tmp.dll
C:\WINDOWS\system32\_004768_.tmp.dll
C:\WINDOWS\system32\_004769_.tmp.dll
C:\WINDOWS\system32\_004772_.tmp.dll
C:\WINDOWS\system32\_004773_.tmp.dll
C:\WINDOWS\system32\_004775_.tmp.dll
C:\WINDOWS\system32\_004776_.tmp.dll
C:\WINDOWS\system32\_004777_.tmp.dll
C:\WINDOWS\system32\_004779_.tmp.dll
C:\WINDOWS\system32\_004782_.tmp.dll
C:\WINDOWS\system32\_004783_.tmp.dll
C:\WINDOWS\system32\_004787_.tmp.dll
C:\WINDOWS\system32\_004788_.tmp.dll
C:\WINDOWS\system32\_004790_.tmp.dll
C:\WINDOWS\system32\_004793_.tmp.dll
C:\WINDOWS\system32\_004795_.tmp.dll
C:\WINDOWS\system32\_004796_.tmp.dll
C:\WINDOWS\system32\_004797_.tmp.dll
C:\WINDOWS\system32\_004798_.tmp.dll
C:\WINDOWS\system32\_004799_.tmp.dll
C:\WINDOWS\system32\_004802_.tmp.dll
C:\WINDOWS\system32\_004803_.tmp.dll
C:\WINDOWS\system32\_004804_.tmp.dll
C:\WINDOWS\system32\_004805_.tmp.dll
C:\WINDOWS\system32\_004806_.tmp.dll
C:\WINDOWS\system32\_004811_.tmp.dll
C:\WINDOWS\system32\_004813_.tmp.dll
C:\WINDOWS\system32\_004814_.tmp.dll
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\temp2.exe
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Creati Da 2008-05-21 al 2008-06-21 )))))))))))))))))))))))))))))))))))
.
2008-06-20 00:00 . 2008-06-20 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Documenti
2008-06-19 21:42 . 2008-06-20 22:22 <DIR> d-------- C:\Documents and Settings\Veriu\Dati applicazioni\Premium Security Suite
2008-06-19 21:37 . 2008-06-19 21:37 <DIR> d-------- C:\Programmi\Avira
2008-06-19 21:37 . 2008-06-19 21:53 71,592 --a------ C:\WINDOWS\system32\drivers\avfwot.sys
2008-06-19 21:37 . 2008-06-19 21:53 71,464 --a------ C:\WINDOWS\system32\drivers\avfwim.sys
2008-06-17 09:06 . 2007-04-19 07:29 450,560 -ra------ C:\WINDOWS\system32\drivers\WlanUZXP.sys
2008-06-14 00:24 . 2008-06-14 00:24 20 --a------ C:\WINDOWS\TemplateWizard.INI
2008-06-10 19:36 . 2008-06-14 19:32 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 19:31 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-07 21:10 . 2008-06-07 21:10 230,424 --a------ C:\img1-001.raw
2008-06-04 19:38 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-04 19:38 . 2007-03-08 07:11 1,032,192 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-04 19:38 . 2008-04-23 06:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-04 19:38 . 2008-04-23 06:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-04 19:38 . 2008-04-23 06:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-04 19:38 . 2008-04-23 06:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-04 19:38 . 2008-04-23 06:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-04 19:38 . 2008-04-22 09:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-04 19:37 . 2008-04-23 06:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 19:27 . 2008-04-13 19:13 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-06-03 19:27 . 2008-04-13 19:13 94,208 -----c--- C:\WINDOWS\system32\dllcache\ehituner.dll
2008-06-03 19:27 . 2008-04-13 18:53 92,672 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-06-03 19:26 . 2008-06-03 19:26 <DIR> d-------- C:\WINDOWS\system32\it
2008-06-03 19:26 . 2008-04-13 19:14 380,928 --a------ C:\WINDOWS\system32\irprops.cpl
2008-06-03 19:15 . 2008-04-13 09:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-06-03 19:14 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\000001_.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2008-06-21 16:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\DMCache
2008-06-20 16:06 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Avira
2008-06-17 23:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Sites
2008-06-17 23:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\SiteClasses
2008-06-16 22:20 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\CyberLink
2008-06-14 17:32 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 21:56 --------- d-----w C:\Programmi\eMule
2008-06-03 17:48 --------- d-----w C:\Programmi\Java
2008-06-01 17:03 --------- d-----w C:\Programmi\DEI_POS_IIED
2008-05-22 17:17 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\HP
2008-05-20 18:09 --------- d-----w C:\Programmi\GRAFILL
2008-05-20 18:09 --------- d-----w C:\Programmi\File comuni\Borland Shared
2008-05-18 15:11 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Ulead Systems
2008-05-18 15:05 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Ulead Systems
2008-05-18 14:41 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\InstallShield
2008-05-18 14:39 --------- d-----w C:\Programmi\File comuni\InterVideo
2008-05-18 14:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InterVideo
2008-05-18 14:38 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-05-18 14:37 --------- d-----w C:\Programmi\Windows Media Components
2008-05-18 14:37 --------- d-----w C:\Programmi\File comuni\Ulead Systems
2008-05-18 14:36 --------- d-----w C:\Programmi\Ulead Systems
2008-05-18 14:11 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-18 14:11 290,816 ------w C:\WINDOWS\Setup1.exe
2008-05-18 08:42 --------- d-----w C:\Programmi\File comuni\snpstd
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 20:09 --------- d-----w C:\Programmi\Total Video Converter
2008-05-04 21:20 --------- d-----w C:\Programmi\DriverGuide DriverScan
2008-05-04 20:24 --------- d-----w C:\Programmi\Creative
2008-05-04 13:50 --------- d-----w C:\Programmi\Windows Live
2008-05-04 13:49 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2008-05-04 13:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2008-05-04 09:17 --------- d-----w C:\Programmi\OO Software
2008-05-04 09:06 --------- d-----w C:\Programmi\Google
2008-05-03 00:03 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\CyberLink
2008-05-03 00:01 --------- d-----w C:\Programmi\File comuni\CyberLink
2008-05-03 00:00 --------- d-----w C:\Programmi\CyberLink
2008-05-01 18:16 --------- d-----w C:\Programmi\Hewlett-Packard
2008-05-01 17:42 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HP
2008-05-01 17:01 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Hewlett-Packard
2008-05-01 16:49 --------- d-----w C:\Programmi\HP
2008-05-01 16:49 --------- d-----w C:\Programmi\File comuni\HP
2008-05-01 16:46 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HPSSUPPLY
2008-05-01 16:45 --------- d-----w C:\Programmi\File comuni\Hewlett-Packard
2008-05-01 15:53 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Creative
2008-05-01 15:53 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Creative
2008-04-29 20:45 --------- d-----w C:\Programmi\Sportello Unico Immigrazione
2008-04-25 13:53 --------- d-----w C:\Programmi\xampp
2008-04-25 12:10 --------- d-----w C:\Programmi\Zend
2008-04-23 08:18 --------- d-----w C:\Programmi\File comuni\Java
2008-04-13 17:14 769,024 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
2008-04-13 17:14 744,448 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
2008-04-13 17:14 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-13 17:14 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-13 17:14 286,720 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-13 17:14 18,432 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe
2008-04-13 17:14 172,032 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-04-13 17:14 151,552 ----a-w C:\WINDOWS\regedit.exe
2008-04-13 17:14 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-13 17:14 1,036,288 ----a-w C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\G oogleToolbarNotifier.exe" [2008-05-06 19:23 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-27 21:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 11:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Programmi\Synaptics\SynTP\SynTPLpr. exe" [2003-11-20 10:19 98304]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh. exe" [2003-11-20 10:18 499712]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 09:41 88363 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Programmi\ltmoh\Ltmoh.exe" [2003-04-28 09:08 184320]
"BluetoothAuthenticationAgent"="bthprops.cpl,,Blue toothAuthenticationAgent" []
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_0 5\bin\jusched.exe" [2008-02-22 04:25 144784]
"OODefragTray"="C:\WINDOWS\system32\oodtray.ex e" [2007-05-11 02:08 2512392]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720]
"avgnt"="C:\Programmi\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-19 21:53 262401]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:14 15360]
"DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-13 16:38 39264]
C:\Documents and Settings\Veriu\Menu Avvio\Programmi\Esecuzione automatica\
WinMySQLadmin.lnk - C:\Programmi\xampp\mysql\bin\winmysqladmin.exe [2005-04-04 18:41:28 936448]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\FILECO~1\ULEADS~1\MPEG\ulmp3acm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine]
--------- 2006-08-16 01:12 24576 C:\Programmi\Creative\Creative Live! Cam\VideoFX\StartFX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
C:\Programmi\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler]
C:\Programmi\Creative\Shared Files\CTSched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:14 1695232 C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 11:36 50472 C:\Programmi\CyberLink\PowerDVD8\Language\Language .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
--------- 2008-03-20 20:23 83240 C:\Programmi\CyberLink\PowerDVD8\PDVD8Serv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--------- 2007-07-23 13:55 341232 C:\Programmi\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Programmi\\IncrediMail\\bin\\IncMail.exe" =
"C:\\Programmi\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Namo\\WebEditor 2006 Trial\\bin\\WebEditor.exe"=
R1 avfwot;avfwot;C:\WINDOWS\system32\DRIVERS\avfwot.s ys [2008-06-19 21:53]
R2 AntiVirFirewallService;Avira Premium Security Suite Firewall;"C:\Programmi\Avira\Avira Premium Security Suite\avfwsvc.exe" [2008-06-19 21:53]
R2 AntiVirMailService;Avira Premium Security Suite MailGuard;"C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe" [2008-06-19 21:53]
R2 antivirwebservice;Avira Premium Security Suite WebGuard;"C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE" [2008-06-19 21:53]
R2 Apache2.2;Apache2.2;"C:\Programmi\xampp\apache\bin \apache.exe" -k runservice []
R2 AVEService;Avira Premium Security Suite MailGuard helper service;"C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe" [2008-06-19 21:53]
R3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [2008-06-19 21:53]
R3 XG762_XP;CONITECH 802.11g XG762N Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2007-04-19 07:29]
S2 XAMPP;XAMPP Service;C:\Programmi\xampp\service.exe [2006-10-23 16:24]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contenuto della cartella 'Scheduled Tasks'
"2008-06-21 16:31:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programmi\Windows Defender\MpCmdRun.exe
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 18:28:40
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programmi\Avira\Avira Premium Security Suite\sched.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe
C:\Programmi\xampp\mysql\bin\mysqld-nt.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqste08.exe
.
************************************************** ************************
.
Ora fine scansione: 2008-06-21 18:34:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 16:34:43
8 Directory 65,427,496,960 byte disponibili
12 Directory 66,332,180,480 byte disponibili
280 --- E O F --- 2008-06-20 23:02:15

(((((((Altre eliminazioni))))))))= Other removals

My OS is in Italian I think is not a problem for you...
Note:
I think there are some changes in Windows registry because after my Antivir has delete C:\copy.exe (detected as trojan) and when I double click in C:\ unit show me a warn like "cannot find copy.exe ....ect" but if I right click in C:\ and select Open, I can open.

Pancake · 06-21-2008

Before we can carry on with your cleanup we need to install your Recovery Console.
Go to Microsoft's website => How to obtain Windows XP Setup boot disks
Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

06-20-2008	#1
gonny Bronze Member Join Date: May 2007 Posts: 20	Avira Antivir Warn Hello everyone! I have Avira Premium Security Antivirus, and warn sequentially for the presence of these Trojan: c:\windows\svchost.exe trojan horse TR/Drop.SMall.apl C:\host.exe trojan horse TR/Drop.SMall.apl C:\windows\system32\temp1.exe backdoors programm BDS/Small.LO C:\windows\system32\temp2.exe backdoor server program BDS/Small.LO And I cannot quarantine svchost.exe because is generic hosts program end my internet connection (maybe was infected). Other trojan host.exe, temp1.exe, temp2.exe creating continually every time I delete or move to quarantine. Any help?

06-20-2008	#2
D__ Elite Member Join Date: Oct 2007 Location: Isle Of Wight Posts: 1,109 PC Experience: Some Experience	Re: Avira Antivir Warn Hi, I suggest you follow the Prework (link in my signature) and post back with the relevant logs and one of our security team will be able to help you D __________________ Dave PREWORK - RULES

06-20-2008	#3
gonny Bronze Member Join Date: May 2007 Posts: 20	Re: Avira Antivir Warn Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 0.50.37, on 21/06/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programmi\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programmi\Synaptics\SynTP\SynTPLpr.exe C:\Programmi\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\AGRSMMSG.exe C:\Programmi\ltmoh\Ltmoh.exe C:\WINDOWS\system32\temp1.exe C:\WINDOWS\system32\rundll32.exe C:\Programmi\Windows Defender\MSASCui.exe C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\vsnpstd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\eHome\ehmsas.exe C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe C:\Programmi\xampp\mysql\bin\winmysqladmin.exe C:\Programmi\Avira\Avira Premium Security Suite\sched.exe C:\Programmi\xampp\apache\bin\apache.exe C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe C:\Programmi\Bonjour\mDNSResponder.exe C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe C:\WINDOWS\system32\svchost.exe C:\Programmi\xampp\mysql\bin\mysqld-nt.exe C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\System32\svchost.exe C:\Programmi\xampp\apache\bin\apache.exe C:\WINDOWS\system32\spupdsvc.exe C:\WINDOWS\system32\svchost.exe C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wltrysvc.exe C:\WINDOWS\ehome\medctrro.exe C:\WINDOWS\system32\bcmwltry.exe C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe C:\Programmi\Internet Explorer\iexplore.exe C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Programmi\Avira\Avira Premium Security Suite\GUARDGUI.EXE C:\Programmi\Visicom Media\AceFTP 3 Pro\aceftp3.exe C:\WINDOWS\system32\rundll32.exe C:\Programmi\Internet Download Manager\IDMan.exe C:\Programmi\Internet Download Manager\IEMonitor.exe C:\Documents and Settings\Veriu\Documenti\Downloads\Programs\HiJack This.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Programmi\Internet Download Manager\IDMIECC.dll O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301. 7164\swg.dll O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe " O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\Avira Premium Security Suite\avgnt.exe" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: WinMySQLadmin.lnk = C:\Programmi\xampp\mysql\bin\winmysqladmin.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: Download all links with IDM - C:\Programmi\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Programmi\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - C:\Programmi\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Programmi\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Programmi\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{58415E2B-A355-47F0-9416-D45233382057}: NameServer = 213.230.155.94 213.230.130.222 O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avfwsvc.exe O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\sched.exe O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programmi\xampp\apache\bin\apache.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: mysql - Unknown owner - C:\Programmi\xampp\mysql\bin\mysqld-nt.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\wltrysvc.exe O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Programmi\xampp\service.exe -- End of file - 11315 bytes Last edited by Pancake; 06-21-2008 at 02:08 AM. Reason: Code removed...

06-21-2008	#4
D__ Elite Member Join Date: Oct 2007 Location: Isle Of Wight Posts: 1,109 PC Experience: Some Experience	Re: Avira Antivir Warn Thanks gonny I have moved this thread to the [New] Hijackthis! Logs forum and one of our security staff will check it as soon as they can Thank you for your patience D __________________ Dave PREWORK - RULES

06-21-2008	#5
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 6,794 PC Experience: Elite PC Guru	Re: Avira Antivir Warn Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool: Go here ======> A guide and tutorial on using ComboFix <====== Go here Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2 The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should get a prompt that says: The Recovery Console was successfully installed. Please continue as follows: (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (2) Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know. __________________ An Australian Member of and My real name is Eddy

06-21-2008	#6
gonny Bronze Member Join Date: May 2007 Posts: 20	Re: Avira Antivir Warn ComboFix 08-06-20.4 - Veriu 2008-06-21 18.16.19.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.431 [GMT 2:00] Eseguito da: C:\Documents and Settings\Veriu\Documenti\Downloads\Programs\ComboF ix.exe * Creato nuovo punto di ripristino WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) ) . C:\autorun.inf C:\WINDOWS\autorun.inf C:\WINDOWS\svchost.exe C:\WINDOWS\system32\_004753_.tmp.dll C:\WINDOWS\system32\_004754_.tmp.dll C:\WINDOWS\system32\_004755_.tmp.dll C:\WINDOWS\system32\_004756_.tmp.dll C:\WINDOWS\system32\_004763_.tmp.dll C:\WINDOWS\system32\_004764_.tmp.dll C:\WINDOWS\system32\_004765_.tmp.dll C:\WINDOWS\system32\_004766_.tmp.dll C:\WINDOWS\system32\_004768_.tmp.dll C:\WINDOWS\system32\_004769_.tmp.dll C:\WINDOWS\system32\_004772_.tmp.dll C:\WINDOWS\system32\_004773_.tmp.dll C:\WINDOWS\system32\_004775_.tmp.dll C:\WINDOWS\system32\_004776_.tmp.dll C:\WINDOWS\system32\_004777_.tmp.dll C:\WINDOWS\system32\_004779_.tmp.dll C:\WINDOWS\system32\_004782_.tmp.dll C:\WINDOWS\system32\_004783_.tmp.dll C:\WINDOWS\system32\_004787_.tmp.dll C:\WINDOWS\system32\_004788_.tmp.dll C:\WINDOWS\system32\_004790_.tmp.dll C:\WINDOWS\system32\_004793_.tmp.dll C:\WINDOWS\system32\_004795_.tmp.dll C:\WINDOWS\system32\_004796_.tmp.dll C:\WINDOWS\system32\_004797_.tmp.dll C:\WINDOWS\system32\_004798_.tmp.dll C:\WINDOWS\system32\_004799_.tmp.dll C:\WINDOWS\system32\_004802_.tmp.dll C:\WINDOWS\system32\_004803_.tmp.dll C:\WINDOWS\system32\_004804_.tmp.dll C:\WINDOWS\system32\_004805_.tmp.dll C:\WINDOWS\system32\_004806_.tmp.dll C:\WINDOWS\system32\_004811_.tmp.dll C:\WINDOWS\system32\_004813_.tmp.dll C:\WINDOWS\system32\_004814_.tmp.dll C:\WINDOWS\system32\temp1.exe C:\WINDOWS\system32\temp2.exe F:\Autorun.inf . ((((((((((((((((((((((((( Files Creati Da 2008-05-21 al 2008-06-21 ))))))))))))))))))))))))))))))))))) . 2008-06-20 00:00 . 2008-06-20 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Documenti 2008-06-19 21:42 . 2008-06-20 22:22 <DIR> d-------- C:\Documents and Settings\Veriu\Dati applicazioni\Premium Security Suite 2008-06-19 21:37 . 2008-06-19 21:37 <DIR> d-------- C:\Programmi\Avira 2008-06-19 21:37 . 2008-06-19 21:53 71,592 --a------ C:\WINDOWS\system32\drivers\avfwot.sys 2008-06-19 21:37 . 2008-06-19 21:53 71,464 --a------ C:\WINDOWS\system32\drivers\avfwim.sys 2008-06-17 09:06 . 2007-04-19 07:29 450,560 -ra------ C:\WINDOWS\system32\drivers\WlanUZXP.sys 2008-06-14 00:24 . 2008-06-14 00:24 20 --a------ C:\WINDOWS\TemplateWizard.INI 2008-06-10 19:36 . 2008-06-14 19:32 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-10 19:31 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys 2008-06-07 21:10 . 2008-06-07 21:10 230,424 --a------ C:\img1-001.raw 2008-06-04 19:38 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-04 19:38 . 2007-03-08 07:11 1,032,192 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-04 19:38 . 2008-04-23 06:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-04 19:38 . 2008-04-23 06:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-04 19:38 . 2008-04-23 06:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-04 19:38 . 2008-04-23 06:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-04 19:38 . 2008-04-23 06:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-04 19:38 . 2008-04-22 09:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-04 19:37 . 2008-04-23 06:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-03 19:27 . 2008-04-13 19:13 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll 2008-06-03 19:27 . 2008-04-13 19:13 94,208 -----c--- C:\WINDOWS\system32\dllcache\ehituner.dll 2008-06-03 19:27 . 2008-04-13 18:53 92,672 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll 2008-06-03 19:26 . 2008-06-03 19:26 <DIR> d-------- C:\WINDOWS\system32\it 2008-06-03 19:26 . 2008-04-13 19:14 380,928 --a------ C:\WINDOWS\system32\irprops.cpl 2008-06-03 19:15 . 2008-04-13 09:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys 2008-06-03 19:14 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\000001_.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ) . 2008-06-21 16:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\DMCache 2008-06-20 16:06 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Avira 2008-06-17 23:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Sites 2008-06-17 23:15 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\SiteClasses 2008-06-16 22:20 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\CyberLink 2008-06-14 17:32 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-12 21:56 --------- d-----w C:\Programmi\eMule 2008-06-03 17:48 --------- d-----w C:\Programmi\Java 2008-06-01 17:03 --------- d-----w C:\Programmi\DEI_POS_IIED 2008-05-22 17:17 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\HP 2008-05-20 18:09 --------- d-----w C:\Programmi\GRAFILL 2008-05-20 18:09 --------- d-----w C:\Programmi\File comuni\Borland Shared 2008-05-18 15:11 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Ulead Systems 2008-05-18 15:05 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Ulead Systems 2008-05-18 14:41 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\InstallShield 2008-05-18 14:39 --------- d-----w C:\Programmi\File comuni\InterVideo 2008-05-18 14:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InterVideo 2008-05-18 14:38 --------- d--h--w C:\Programmi\InstallShield Installation Information 2008-05-18 14:37 --------- d-----w C:\Programmi\Windows Media Components 2008-05-18 14:37 --------- d-----w C:\Programmi\File comuni\Ulead Systems 2008-05-18 14:36 --------- d-----w C:\Programmi\Ulead Systems 2008-05-18 14:11 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE 2008-05-18 14:11 290,816 ------w C:\WINDOWS\Setup1.exe 2008-05-18 08:42 --------- d-----w C:\Programmi\File comuni\snpstd 2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-05 20:09 --------- d-----w C:\Programmi\Total Video Converter 2008-05-04 21:20 --------- d-----w C:\Programmi\DriverGuide DriverScan 2008-05-04 20:24 --------- d-----w C:\Programmi\Creative 2008-05-04 13:50 --------- d-----w C:\Programmi\Windows Live 2008-05-04 13:49 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller 2008-05-04 13:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller 2008-05-04 09:17 --------- d-----w C:\Programmi\OO Software 2008-05-04 09:06 --------- d-----w C:\Programmi\Google 2008-05-03 00:03 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\CyberLink 2008-05-03 00:01 --------- d-----w C:\Programmi\File comuni\CyberLink 2008-05-03 00:00 --------- d-----w C:\Programmi\CyberLink 2008-05-01 18:16 --------- d-----w C:\Programmi\Hewlett-Packard 2008-05-01 17:42 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HP 2008-05-01 17:01 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Hewlett-Packard 2008-05-01 16:49 --------- d-----w C:\Programmi\HP 2008-05-01 16:49 --------- d-----w C:\Programmi\File comuni\HP 2008-05-01 16:46 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HPSSUPPLY 2008-05-01 16:45 --------- d-----w C:\Programmi\File comuni\Hewlett-Packard 2008-05-01 15:53 --------- d-----w C:\Documents and Settings\Veriu\Dati applicazioni\Creative 2008-05-01 15:53 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Creative 2008-04-29 20:45 --------- d-----w C:\Programmi\Sportello Unico Immigrazione 2008-04-25 13:53 --------- d-----w C:\Programmi\xampp 2008-04-25 12:10 --------- d-----w C:\Programmi\Zend 2008-04-23 08:18 --------- d-----w C:\Programmi\File comuni\Java 2008-04-13 17:14 769,024 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe 2008-04-13 17:14 744,448 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe 2008-04-13 17:14 70,144 ----a-w C:\WINDOWS\notepad.exe 2008-04-13 17:14 32,866 ------w C:\WINDOWS\slrundll.exe 2008-04-13 17:14 286,720 ----a-w C:\WINDOWS\winhlp32.exe 2008-04-13 17:14 18,432 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe 2008-04-13 17:14 172,032 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe 2008-04-13 17:14 151,552 ----a-w C:\WINDOWS\regedit.exe 2008-04-13 17:14 10,752 ----a-w C:\WINDOWS\hh.exe 2008-04-13 17:14 1,036,288 ----a-w C:\WINDOWS\explorer.exe . ((((((((((((((((((((((((((((((((((((( Punti Reg Caricati )))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 Nota i valori vuoti & legittimi/default non sono visualizzati. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:14 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024] "swg"="C:\Programmi\Google\GoogleToolbarNotifier\G oogleToolbarNotifier.exe" [2008-05-06 19:23 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe] "ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-27 21:10 335872] "SoundMan"="SOUNDMAN.EXE" [2003-12-19 11:53 65024 C:\WINDOWS\SOUNDMAN.EXE] "SynTPLpr"="C:\Programmi\Synaptics\SynTP\SynTPLpr. exe" [2003-11-20 10:19 98304] "SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh. exe" [2003-11-20 10:18 499712] "AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 09:41 88363 C:\WINDOWS\AGRSMMSG.exe] "LtMoh"="C:\Programmi\ltmoh\Ltmoh.exe" [2003-04-28 09:08 184320] "BluetoothAuthenticationAgent"="bthprops.cpl,,Blue toothAuthenticationAgent" [] "SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_0 5\bin\jusched.exe" [2008-02-22 04:25 144784] "OODefragTray"="C:\WINDOWS\system32\oodtray.ex e" [2007-05-11 02:08 2512392] "snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720] "avgnt"="C:\Programmi\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-19 21:53 262401] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:14 15360] "DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-13 16:38 39264] C:\Documents and Settings\Veriu\Menu Avvio\Programmi\Esecuzione automatica\ WinMySQLadmin.lnk - C:\Programmi\xampp\mysql\bin\winmysqladmin.exe [2005-04-04 18:41:28 936448] C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\ HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm "msacm.MPEGacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\MPEG\MPEGacm.acm "msacm.ulmp3acm"= C:\PROGRA~1\FILECO~1\ULEADS~1\MPEG\ulmp3acm.acm [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-05-11 03:06 40048 C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine] --------- 2006-08-16 01:12 24576 C:\Programmi\Creative\Creative Live! Cam\VideoFX\StartFX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager] C:\Programmi\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler] C:\Programmi\Creative\Shared Files\CTSched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2006-12-10 21:52 49152 C:\Programmi\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 19:14 1695232 C:\Programmi\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-09-20 09:51 1836328 C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 15:57 153136 C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut] --------- 2007-12-14 11:36 50472 C:\Programmi\CyberLink\PowerDVD8\Language\Language .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8] --------- 2008-03-20 20:23 83240 C:\Programmi\CyberLink\PowerDVD8\PDVD8Serv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload] --------- 2007-07-23 13:55 341232 C:\Programmi\Ulead Systems\Ulead VideoStudio 11\uvPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programmi\\Messenger\\msmsgs.exe"= "C:\\Programmi\\IncrediMail\\bin\\IMApp.exe"= "C:\\Programmi\\IncrediMail\\bin\\IncMail.exe" = "C:\\Programmi\\IncrediMail\\bin\\ImpCnt.exe"= "C:\\Programmi\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programmi\\Namo\\WebEditor 2006 Trial\\bin\\WebEditor.exe"= R1 avfwot;avfwot;C:\WINDOWS\system32\DRIVERS\avfwot.s ys [2008-06-19 21:53] R2 AntiVirFirewallService;Avira Premium Security Suite Firewall;"C:\Programmi\Avira\Avira Premium Security Suite\avfwsvc.exe" [2008-06-19 21:53] R2 AntiVirMailService;Avira Premium Security Suite MailGuard;"C:\Programmi\Avira\Avira Premium Security Suite\avmailc.exe" [2008-06-19 21:53] R2 antivirwebservice;Avira Premium Security Suite WebGuard;"C:\Programmi\Avira\Avira Premium Security Suite\AVWEBGRD.EXE" [2008-06-19 21:53] R2 Apache2.2;Apache2.2;"C:\Programmi\xampp\apache\bin \apache.exe" -k runservice [] R2 AVEService;Avira Premium Security Suite MailGuard helper service;"C:\Programmi\Avira\Avira Premium Security Suite\avesvc.exe" [2008-06-19 21:53] R3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [2008-06-19 21:53] R3 XG762_XP;CONITECH 802.11g XG762N Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2007-04-19 07:29] S2 XAMPP;XAMPP Service;C:\Programmi\xampp\service.exe [2006-10-23 16:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\setup.exe . Contenuto della cartella 'Scheduled Tasks' "2008-06-21 16:31:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Programmi\Windows Defender\MpCmdRun.exe . ************************************************ ******************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-21 18:28:40 Windows 5.1.2600 Service Pack 3 NTFS scansione processi nascosti ... scansione entrate autostart nascoste ... Scansione files nascosti ... Scansione completata con successo Files nascosti: 0 ********************************************** ******************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Programmi\Windows Defender\MsMpEng.exe C:\Programmi\Avira\Avira Premium Security Suite\avguard.exe C:\WINDOWS\system32\ati2evxx.exe C:\Programmi\Avira\Avira Premium Security Suite\sched.exe C:\Programmi\Bonjour\mDNSResponder.exe C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe F:\Software\Windows apache + mysql-phphnet\xampp\FileZillaFTP\FileZillaServer.exe C:\Programmi\xampp\mysql\bin\mysqld-nt.exe C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\spupdsvc.exe C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wltrysvc.exe C:\WINDOWS\system32\bcmwltry.exe C:\WINDOWS\ehome\medctrro.exe C:\WINDOWS\ehome\ehmsas.exe C:\WINDOWS\system32\rundll32.exe C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe C:\Programmi\HP\Digital Imaging\bin\hpqste08.exe . ********************************************** ********************** . Ora fine scansione: 2008-06-21 18:34:49 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-21 16:34:43 8 Directory 65,427,496,960 byte disponibili 12 Directory 66,332,180,480 byte disponibili 280 --- E O F --- 2008-06-20 23:02:15 (((((((Altre eliminazioni))))))))= Other removals My OS is in Italian I think is not a problem for you... Note: I think there are some changes in Windows registry because after my Antivir has delete C:\copy.exe (detected as trojan) and when I double click in C:\ unit show me a warn like "cannot find copy.exe ....ect" but if I right click in C:\ and select Open, I can open. Last edited by Pancake; 06-21-2008 at 11:35 PM. Reason: Copied and pasted for better viewing....

06-21-2008	#7
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 6,794 PC Experience: Elite PC Guru	Re: Avira Antivir Warn Before we can carry on with your cleanup we need to install your Recovery Console. Go to Microsoft's website => How to obtain Windows XP Setup boot disks Select the download that's appropriate for your Operating System Download the file & save it as it's originally named, next to ComboFix.exe. Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. At the next prompt, click 'Yes' to run the full ComboFix scan. When the tool is finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log for further review. __________________ An Australian Member of and My real name is Eddy

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Information: Avira AntiVir Free Edition	Recess	Anti-Virus (AV)	6	08-17-2009 09:27 AM
Pending: Avira software not working!!	karenken20	[Pending] HJT Logs	4	05-28-2009 05:28 AM
Fixed: Avira Antivir has shown 123 warnings	ORANOS	[Fixed] Hijackthis! Logs	12	02-15-2009 09:25 PM
Fixed: Avira av is not updating	roshca181	[Fixed] Hijackthis! Logs	1	02-13-2009 08:25 AM
[Information] Avira AntiVir PersonalEdition Premium free for 6 months	chiaz	Anti-Virus	3	09-25-2007 03:55 PM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode