[ripa82]

Hi to everyone, This is my first thread in this forum, I hope someone will be very kind to help me.

I m trying to delete many spyware but it is very difficult.

The main problem is that there is a process (svchost.exe) in my computer that takes 100% of my cpu.

I did a panda scan and I found these results

Adware:adware/popmonster Non Disinfettato C:\Documents and Settings\Mic\Preferiti\shopping\eBay.url
Adware:adware/transponder Non Disinfettato Registro di sistema di Windows
Spyware:spyware/safesurf Non Disinfettato Registro di sistema di Windows
Dialer:dialer.min Non Disinfettato HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB893839-10F0-4AF9-92FA-B23528F530AF}
Adware:adware/favadd Non Disinfettato Registro di sistema di Windows
Adware:adware/enhsrch Non Disinfettato Registro di sistema di Windows
Adware:adware/aurora Non Disinfettato Registro di sistema di Windows
Adware:adware/sgrunt Non Disinfettato Registro di sistema di Windows
Adware:adware/elitebar Non Disinfettato Registro di sistema di Windows
Adware:adware/wupd Non Disinfettato Registro di sistema di Windows
Adware:adware/ieplugin Non Disinfettato Registro di sistema di Windows
Spyware:spyware/apropos Non Disinfettato Registro di sistema di Windows
Spyware:spyware/betterinet Non Disinfettato Registro di sistema di Windows
Spyware:Cookie/Abetterinternet Non Disinfettato C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
Spyware:Cookie/Btgrab Non Disinfettato C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Non Disinfettato C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
Spyware:Cookie/Twain-Tech Non Disinfettato C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/OfferOptimizer Non Disinfettato C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
Spyware:Cookie/Tradedoubler Non Disinfettato C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/888 Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/NewMedia Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Cassava Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Ccbill Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][14].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][3].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][7].txt
Spyware:Cookie/Com.com Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/360i Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/did-it Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/GoStats Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/Go Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Screensavers Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/Itrack Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/DriveCleaner Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/Toplist Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/WebPower Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/BurstBeacon Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/web-stat Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][2].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Buydomains Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/Yadro Non Disinfettato C:\Documents and Settings\Mic\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Non Disinfettato C:\Documents and Settings\Mic\Impostazioni locali\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Mic\Impostazioni locali\Temp\Cookies\[email protected][4].txt
Spyware:Cookie/Com.com Non Disinfettato C:\Documents and Settings\Mic\Impostazioni locali\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Go Non Disinfettato C:\Documents and Settings\Mic\Impostazioni locali\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Non Disinfettato C:\Documents and Settings\Mic\Impostazioni locali\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Yadro Non Disinfettato C:\Documents and Settings\Mic\Impostazioni locali\Temp\Cookies\[email protected][2].txt

I did also a removal of spyware with AD-aware but it is not enought , there is still the svchost problem...

Thanks a lot to everyone would like to help me.

Michi

 

[ripa82]

this is my HJT

ogfile of HijackThis v1.99.1
Scan saved at 14.45.26, on 05/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mic\Desktop\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.studenti.unicatt.it:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [pvpehe] Driver = Virus (Dll Drpmon- Nail-) FOTTUTO
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Programmi\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [LaCie Backup] C:\Programmi\LaCie\Backup Software\\LaCieBackup.exe /background
O4 - Startup: Traduttore in Internet.lnk = C:\Programmi\TG\TGWeb.exe
O4 - Startup: Traduttore In-Linea.lnk = C:\Programmi\TG\TGOnline.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} (Entire Screen Builder Web Viewer) - http://vblu.uni-bocconi.it/vblu/NWWClientFull.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/it/it/tools/activex/fpu.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {92E7E45A-D8C8-480E-AF99-176E43997CAA} (Aurigma Image Uploader 3.5 Combo Control) - http://www.pixdiscount.it/clients/ImageUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programmi\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

 

[ripa82]

Any suggestions?

 

[ripa82]

No one knows how to do?

 

[dvk01]

Download Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

[ripa82]

Thanks in advance for the HELP

"Mic" - 07-01-09 19.38.58 Service Pack 2
ComboFix 07-01-09W-BetaE2 - Running from: "C:\Documents and Settings\Mic\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\INSTALL.LOG
C:\WINDOWS\Downloaded Program Files\rave

((((((((((((((((((((((((((((((( Files Created from 2006-12-09 to 2007-01-09 ))))))))))))))))))))))))))))))))))

2007-01-09 19:23 d-------- C:\WINDOWS\LastGood
2007-01-09 10:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-01-08 21:01 d-a------ C:\DOCUME~1\ALLUSE~1\Dati applicazioni\TEMP
2007-01-08 21:01 d-------- C:\Programmi\Spyware Doctor
2007-01-08 21:01 d-------- C:\DOCUME~1\Mic\Dati applicazioni\PC Tools
2007-01-08 20:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-08 20:06 d-------- C:\Programmi\Grisoft
2007-01-07 10:48 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-07 10:37 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-01-07 10:37 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-01-07 10:33 d-------- C:\DOCUME~1\ALLUSE~1\Dati applicazioni\Google Updater
2007-01-06 23:37 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-01-06 23:37 0 --a------ C:\WINDOWS\ORUN32.EXE
2007-01-06 23:26 d-------- C:\Programmi\SUPERAntiSpyware
2007-01-06 23:26 d-------- C:\DOCUME~1\Mic\Dati applicazioni\SUPERAntiSpyware.com
2007-01-06 18:41 d-------- C:\DOCUME~1\Mic\Dati applicazioni\Uniblue
2007-01-06 18:40 d-------- C:\Programmi\Uniblue
2007-01-06 16:09 d-------- C:\Programmi\LIUtilities
2007-01-06 13:44 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-01-06 13:44 d-------- C:\Programmi\TuneUp Utilities 2006
2007-01-06 13:44 d-------- C:\DOCUME~1\Mic\Dati applicazioni\TuneUp Software
2007-01-06 13:44 d-------- C:\DOCUME~1\ALLUSE~1\Dati applicazioni\TuneUp Software
2007-01-05 19:54 d-------- C:\marko
2007-01-05 19:53 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-01-05 19:53 299,392 --a------ C:\WINDOWS\system32\imon.dll
2007-01-05 19:53 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-01-05 15:28 d-------- C:\Programmi\File comuni\Wise Installation Wizard
2007-01-05 10:15 d-------- C:\Programmi\Trend Micro
2007-01-05 10:12 d-------- C:\DOCUME~1\Mic\.housecall6.6
2007-01-05 09:52 d-------- C:\Programmi\RegistryFix
2007-01-04 18:12 d-------- C:\WINDOWS\WBEM
2007-01-04 18:11 d-------- C:\WINDOWS\system32\it-it
2007-01-04 18:09 d--h-c--- C:\WINDOWS\ie7
2007-01-04 18:06 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-04 18:05 d-------- C:\WINDOWS\network diagnostic
2007-01-04 10:55 d---s---- C:\DOCUME~1\Guest\UserData
2007-01-02 17:08 d-------- C:\Programmi\File comuni\Skype
2006-12-24 13:21 d-------- C:\Programmi\TomTom HOME
2006-12-24 12:42 d-------- C:\DOCUME~1\Mic\Dati applicazioni\LaCie
2006-12-24 12:41 d-------- C:\Programmi\LaCie
2006-12-24 12:38 d-------- C:\Programmi\Mediafour
2006-12-21 20:07 d-------- C:\DOCUME~1\Mic\Incomplete
2006-12-21 20:05 d-------- C:\DOCUME~1\Mic\.limewire

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-09 19:38 -------- d-------- C:\Programmi\microsoft antispyware
2007-01-09 19:00 -------- d-------- C:\Programmi\msn messenger
2007-01-07 13:18 -------- d--h----- C:\Programmi\installshield installation information
2007-01-07 13:15 -------- d-------- C:\Programmi\lg pc suite
2007-01-07 13:15 -------- d-------- C:\Programmi\google
2007-01-07 13:09 -------- d-------- C:\Programmi\File comuni\symantec shared
2007-01-07 10:38 -------- d-------- C:\Programmi\mozilla firefox
2007-01-07 10:37 -------- d-------- C:\Programmi\picasa2
2007-01-07 00:26 -------- d-------- C:\Programmi\matlab7
2007-01-07 00:17 -------- d-------- C:\Programmi\longman student
2007-01-07 00:16 -------- d-------- C:\Programmi\emule
2007-01-06 23:37 -------- d-------- C:\Programmi\samsung ml-2010 series
2007-01-06 20:04 -------- d-------- C:\Programmi\itunes
2007-01-06 16:11 -------- d-------- C:\DOCUME~1\Mic\Dati applicazioni\skype
2007-01-02 17:08 -------- d-------- C:\Programmi\skype
2006-12-26 20:56 -------- d-------- C:\DOCUME~1\Mic\Dati applicazioni\apple computer
2006-12-24 12:41 -------- d---s---- C:\DOCUME~1\Mic\Dati applicazioni\microsoft
2006-12-21 10:31 -------- d-------- C:\DOCUME~1\Mic\Dati applicazioni\adobeum
2006-12-07 06:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-01 17:09 -------- d-------- C:\DOCUME~1\Mic\Dati applicazioni\amule
2006-12-01 16:53 -------- d-------- C:\Programmi\camfrog
2006-11-21 09:24 -------- d-------- C:\Programmi\msxml 4.0
2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-20 02:38 714752 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 13:35 143360 --a------ C:\WINDOWS\system32\nwprovau.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Programmi\\Google\\GoogleToolbarNotifier\\1.2.908.6962\\GoogleToolbarNotifier.exe"
"PcSync"="C:\\Programmi\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"LaCie Backup"="C:\\Programmi\\LaCie\\Backup Software\\\\LaCieBackup.exe /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Uniblue Registry Booster"="C:\\Programmi\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"SUPERAntiSpyware"="C:\\Programmi\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"DW4"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Samsung Common SM"="\"C:\\WINDOWS\\Samsung\\ComSMMgr\\ssmmgr.exe\" /autorun"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"iTunesHelper"="\"C:\\Programmi\\iTunes\\iTunesHelper.exe\""
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"nod32kui"="\"C:\\Programmi\\Eset\\nod32kui.exe\" /WAITSERVICE"
"Google Desktop Search"="\"C:\\Programmi\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"!AVG Anti-Spyware"="\"C:\\Programmi\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DW4"="\"C:\\Programmi\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"googletalk"="\"C:\\Programmi\\Google\\Google Talk\\googletalk.exe\" /autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Cisco Systems VPN Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica\\Cisco Systems VPN Client.lnk"
"backup"="C:\\WINDOWS\\pss\\Cisco Systems VPN Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CISCOS~1\\VPNCLI~1\\vpngui.exe \"-user_logon\""
"item"="Cisco Systems VPN Client"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Device Detector 2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica\\Device Detector 2.lnk"
"backup"="C:\\WINDOWS\\pss\\Device Detector 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Olympus\\DEVICE~1\\DevDtct2.exe "
"item"="Device Detector 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DATALA~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\FILECO~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\exp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="exp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\exp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"command"="\"C:\\Programmi\\Microsoft AntiSpyware\\gcasServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Logi_MwX"
"hkey"="HKLM"
"command"="Logi_MwX.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Launch Application 2"
"hkey"="HKLM"
"command"="C:\\Programmi\\Nokia\\Nokia PC Suite 6\\Launch Application 2.exe -onlytray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PcSync2"
"hkey"="HKCU"
"command"="C:\\Programmi\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ppctmb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bpzfrb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\bpzfrb.exe r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Programmi\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Programmi\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Programmi\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Programmi\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"isdmure.exe"="C:\\WINDOWS\\system\\isdmure.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/DOCUME~1/Mic/IMPOST~1/Temp/msohtml1/01/clip_image002.jpg

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-09 19:41:32

 

[dvk01]

first I can see you have NOD installed as we l as avast & that might be part of the problem

However there is also some viruses etc there

First download the attached rem_mc.zip & save to desktop
unzip it & double click it the reg file & say yes to prompts to merge with registry

then

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\exp
C:\WINDOWS\system32\bpzfrb.exe
C:\WINDOWS\system\isdmure.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply. with a new HJT log Taken in NORMAL not safe mode

 

[ripa82]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tvkfupca

*******************

Script file located at: \??\C:\WINDOWS\system32\voperyoq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\exp not found!
Deletion of file C:\WINDOWS\system32\exp failed!

Could not process line:
C:\WINDOWS\system32\exp
Status: 0xc0000034



File C:\WINDOWS\system32\bpzfrb.exe not found!
Deletion of file C:\WINDOWS\system32\bpzfrb.exe failed!

Could not process line:
C:\WINDOWS\system32\bpzfrb.exe
Status: 0xc0000034



File C:\WINDOWS\system\isdmure.exe not found!
Deletion of file C:\WINDOWS\system\isdmure.exe failed!

Could not process line:
C:\WINDOWS\system\isdmure.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

 

[ripa82]

but now I m in safe mode,,because in normal mode id doesn't work explorer

 

[dvk01]

lets see if this shows anything

• Download WinPFind
• Right Click the Zip Folder and Select "Extract All"
• Extract it somewhere you will remember like the Desktop
• Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

• Click " Configure Scan Options"
• Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
• Now Click "Start Scan"
• It will scan the entire System, so please be patient!
• Once the Scan is Complete
  • Reboot back to Normal Mode!
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply

and there is NO need to send me a pm every time you reply as I get notified you have replied to THIS thread

 

[ripa82]

DONE
attached you can find the results...

thanks

 

[dvk01]

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\jrojb.dll
C:\yqwtkdod.bat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

 

[ripa82]

I have done also this passage, how is it goinig?

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\anmxivrj

*******************

Script file located at: \??\C:\wedngpud.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\jrojb.dll not found!
Deletion of file C:\WINDOWS\system32\jrojb.dll failed!

Could not process line:
C:\WINDOWS\system32\jrojb.dll
Status: 0xc0000034

File C:\yqwtkdod.bat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

 

[dvk01]

none of the files seem to exist & only seem to be registry references

what happens when you try to start in normal mode

 

[ripa82]

when I start the normal mode there is a process called svchost.exe that occupies the 99% of the memory, I can see it from the taskmanager...
something else I can do?

 

[dvk01]

have you got auto updates turned on as that sometimes causes this

lets have a new hjt log incase I have missed something