Collected.5.L......post cleanup log

trojan horses

I saw you helped some people about this problems!
I had serious problems for months concerning trojan horses (collected.5L, win32 worm, backdoor, etc.). The virus even stopped HiJack This. Today I downloaded ewido security suite and it deleted a lot of things! Now everything seems to function, but I'd like to be sure. Could you please check my Hijack log file? Thank you!

Logfile of HijackThis v1.99.1
Scan saved at 15.41.47, on 01/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\ewido\security suite\ewidoguard.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\OPLIMIT\ocrawr32.exe
C:\Documents and Settings\Paola Iacovazzo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82 "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title= "CorelDRAW Graphics Suite 12" /date=061305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [file laoder configuration] rnd32.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [file laoder configuration] rnd32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - HKCU\..\Run: [file laoder configuration] rnd32.exe
O4 - HKCU\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunServices: [file laoder configuration] rnd32.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108986459703
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

 

Welcome to WindowsBBS paodon

I have split your post off and created a thread for you. Please post future responses here.

Running processes look good, but a few items in your log to clean up and files to search for.

Please right click the desktop and choose New>folder. Name it HJT, then move HijackThis.exe to the new folder and run it from there.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O4 - HKLM\..\Run: [file laoder configuration] rnd32.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [file laoder configuration] rnd32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
O4 - HKCU\..\Run: [file laoder configuration] rnd32.exe
O4 - HKCU\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunServices: [file laoder configuration] rnd32.exe

Now reboot and do a search for all of the above files in red and delete if found.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all username folders.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Again, reboot, then go to Start>All Programs>Windows Update. Accept all critical updates (choose Express Install). Reboot when prompted and go back to Windows Update. Repeat until there are no more critical updates offered.

When done, scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

trojan horses

Thank you for answering!
I did everything you said even though it was impossible to scan with RAV cause the download section of that site is closed!
Anyway I send you the new HiJack This log...
thanks!

Logfile of HijackThis v1.99.1
Scan saved at 11.13.12, on 02/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\OPLIMIT\ocrawr32.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Paola Iacovazzo\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82 "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title= "CorelDRAW Graphics Suite 12" /date=061305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108986459703
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

 

Your log looks clean. When on the RAV page, click the link below the field to enter you're email address, where it says 'To continue without subscribing click here'. The next page should prompt you to install an ActiveX control, which you must allow, then it will begin loading the updated reference files. When it tells you (in the window) updates are completed, 'ready to scan', click 'Scan my PC'

Let us know!

 

I tried opening that page, but nothing happens and it says I can only check one file and not one folder or an entire disk.
Anyway everything's ok for now!
Thank you
greetings from Italy!

 

You're most welcome!

I was hoping for a clean online scan before recommending the following, and would still like for you to try another first.

Panda ActiveScan

If all is well, clear your System Restore points. Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out. Reboot and turn System Restore back on.

Then click Start>All Programs>Windows Update. Accept all critical updates (choose Express Install). Reboot when prompted and go back to Windows Update. Repeat until there are no more critical updates offered.

Also recommend you download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry. That will give you some added layers of protection against unwanted parasites.

 

I scanned with Panda and it found and cleaned 22 infected items... this is the log:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\DOCUME~1\PAOLAI~1\IMPOST~1\Temp\setup4002b.cab
Adware:Adware/EliteBar No disinfected C:\WINDOWS\downloaded program files\osdeb.osd
Adware:Adware/WeatherCast No disinfected C:\Documents and Settings\Paola Iacovazzo\Menu Avvio\Programmi\WeatherCast
Adware:Adware/WhenUSearch No disinfected C:\Programmi\File comuni\Whenu
Adware:Adware/WeatherCast No disinfected C:\Documents and Settings\Paola Iacovazzo\Documenti\Installazioni\VVSNI_Cast_webInst-1.exe
Adware:Adware/WeatherCast No disinfected C:\Documents and Settings\Paola Iacovazzo\Documenti\Installazioni\VVSNI_Cast_webInst.exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[lkir8l2gm_.dll]
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[abasa5jrp_.exe]
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[u6f6uftuc_.exe]
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[hochkaod3_.exe]
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[u6f6uftuc_.ini]
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[hochkaod3_.ini]
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[setup4002b.ini]
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Paola Iacovazzo\Impostazioni locali\Temp\setup4002b.cab[webinstaller.dll]
Adware:Adware/WhenUSearch No disinfected C:\Programmi\File comuni\WhenU\EmbedSE.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\OSDEB.OSD
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Virus:W32/Sdbot.DPT.worm Disinfected C:\WINDOWS\system32\TFTP3628
Virus:W32/Gaobot.GBQ.worm Disinfected C:\WINDOWS\system32\winn.exe

 

AVG found out again an infection on file msdirectx.sys by trojan horse collected.5.L
i send you another hijack log...
thanks

Logfile of HijackThis v1.99.1
Scan saved at 22.09.26, on 02/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\Paola Iacovazzo\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82 "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title= "CorelDRAW Graphics Suite 12" /date=061305 serial=DR12WTX-9999998-YSP lang=EN
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108986459703
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe

 

Please reboot to safe mode. Logon to the Paola Iacovazzo account. Click Start>run and type %temp% then hit enter. Click Edit>select all then right click on any selected file/folder and choose delete. Close Temp.

Open My Computer, right click Local Disk C: and select properties, then disk cleanup. Check all boxes except Compress old files and click OK.

If AVG has told you the location of msdirectx.sys then skip this step and let us know where it is. Click Start>search. Select All files and folders. Type msdirectx.sys in the filename window. Click More advanced options and check the boxes for system folders, hidden files and folders, and subfolders. Click search. If found, right click and delete. If it will not delete, make note of it's location(s) and report in your next post.

Reboot back into Windows. Download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here. This scanner sometimes takes a very long time to run. Please be patient and allow it to complete!

 

I deleted those files in the safe mode e made the disk clean up. When I try serching for msdirectx.sys it says there are no files with that name...
I downloaded MWAV and it found 6 viruses and 130 errors. Here's the log:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PrevAdX.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-dan.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-cht.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-nld.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-fra.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-deu.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-jpn.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-kor.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-nor.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-ptg.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-rus.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-esp.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-fin.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-ptb.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-chs.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-plk.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-csy.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-sky.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-slv.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-hun.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-tha.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-trk.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-ell.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\CoverDesigner\covered-esl.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Chs.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Cht.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Deu.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Esp.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Fra.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Jpn.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Kor.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Nld.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero BackItUp\BackItUp-Ptg.nls ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_chs.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_cht.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_deu.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_esl.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_esp.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_fra.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_jpn.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_kor.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_nld.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\Ahead\Nero StartSmart\NeroStartSmart_ptg.chm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\MSXML3A.DLL ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programmi\File comuni\Adobe\Fonts\Reqrd\Base\AdobeFnt.lst ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PrevAdX.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01002B17-5D93-4551-81E4-831FEF780A53}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0AA02E8D-F851-4CB0-9F64-BBA9BE7A983D}" refers to invalid object "C:\PROGRA~1\WINDOW~2\mpvis.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2aa2b5fe-b846-4d07-810c-b21ee45320e3}" refers to invalid object "%SystemRoot%\System32\xmlprovi.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2EA10031-0033-450E-8072-E27D9E768142}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{31087270-D348-432C-899E-2D2F38FF29A0}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{353359C1-39E1-491b-9951-464FD8AB071C}" refers to invalid object "C:\Programmi\Movie Maker\wmm2fxa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{41D2B841-7692-4C83-AFD3-F60E845341AF}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4F3E50BD-A9D7-4721-B0E1-00CB42A0A747}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{586FB486-5560-4FF3-96DF-1118C96AF456}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}" refers to invalid object "C:\WINDOWS\System32\twext.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E}" refers to invalid object "C:\Programmi\Movie Maker\wmm2fxa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5B4B05EB-1F63-446B-AAD1-E10A34D650E0}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{679E132F-561B-42F8-846C-A70DBDC62999}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6C68955E-F965-4249-8E18-F0977B1D2899}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7F1232EE-44D7-4494-AB8B-CC61B10E21A5}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{86DCFA5A-DED3-4202-ADDC-93852FCF4DE6}" refers to invalid object "f:\Corel\Graphics12\ProgramsD\CorelDrw.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{92883667-E95C-443D-AC96-4CACA27BEB6E}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9DB7A13C-F208-4981-8353-73CC61AE2783}" refers to invalid object "C:\WINDOWS\System32\twext.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A2EDA89A-0966-4B91-9C18-AB69F098187F}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ADEADEB8-E54B-11d1-9A72-0000F875EADE}" refers to invalid object "C:\Programmi\Movie Maker\wmm2fxa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AECF5D2E-7A18-4DD2-BDCD-29B6F615B448}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B4DC8DD9-2CC1-4081-9B2B-20D7030234EF}" refers to invalid object "C:\Programmi\Movie Maker\wmm2fxa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BC0D69A8-0923-4EEE-9375-9239F5A38B92}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C0D076C5-E4C6-4561-8BF4-80DA8DB819D7}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C44C65C7-FDF1-453D-89A5-BCC28F5D69F9}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C63344D8-70D3-4032-9B32-7A3CAD5091A5}" refers to invalid object "C:\Programmi\Movie Maker\wmm2fxa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C8F209F8-480E-454C-94A4-5392D88EBA0F}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CFFB1FC7-270D-4986-B299-FECF3F0E42DB}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F70305}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E476CBFF-E229-4524-B6B7-228A3129D1C7}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E673DCF2-C316-4c6f-AA96-4E4DC6DC291E}" refers to invalid object "C:\Programmi\Movie Maker\wmm2fxb.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E8C31D11-6FD2-4659-AD75-155FA143F42B}" refers to invalid object "C:\Programmi\Movie Maker\wmm2ae.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EC85D8F1-1C4E-46e4-A748-7AA04E7C0496}" refers to invalid object "C:\Programmi\Movie Maker\wmm2fxa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EF105BC3-C064-45F1-AD53-6D8A8578D01B}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F44BB2D0-F070-463E-9433-B0CCF3CFD627}" refers to invalid object "C:\Programmi\Movie Maker\wmm2filt.dll ". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046} ". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC} ". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC} ". Action Taken: No Action Taken.
File C:\Documents and Settings\Paola Iacovazzo\Documenti\Installazioni\VVSNI_Cast_webInst-1.exe tagged as "not-a-virus:AdWare.SaveNow.bi ". Action Taken: No Action Taken.
File C:\Documents and Settings\Paola Iacovazzo\Documenti\Installazioni\VVSNI_Cast_webInst.exe tagged as "not-a-virus:AdWare.SaveNow.bi ". Action Taken: No Action Taken.
File C:\Programmi\File comuni\WhenU\EmbedSE.dll tagged as "not-a-virus:AdWare.SaveNow.bb ". Action Taken: No Action Taken.
File C:\Programmi\Norton AntiVirus\Quarantine\0B553392 infected by "Trojan-Downloader.BAT.Ftp.z" Virus! Action Taken: No Action Taken.
File C:\Programmi\Norton AntiVirus\Quarantine\0C6E4E5D infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.

 

Most of that is just old registry entries. We can clean that up with a registry cleaner when we're done.

Do you know what this is or where it came from?
C:\Documents and Settings\Paola Iacovazzo\Documenti\Installazioni\VVSNI_Cast_webIn st.exe

Please delete the WhenU folder.
C:\Programmi\File comuni\WhenU

Do you still have Norton AV installed, and it's just disabled?

Please open AVG and locate the logs to see if there's mention of msdirectx.sys and it's location and post that information if found. If not, download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in msdirectx.sys, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

 

I do not have norton antivirus...
I found a strange folder in C: that is called $WIN_NT$.~BT. Is that normal? Inside there is a folder called system32 and many files SY_ format.

Registry Search found that file (msdirectx.sys):

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "msdirectx.sys" 03/06/2005 20.00.41

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1715567821-1284227242-682003330-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"000 "= "msdirectx.sys "

 

Certainly appears to be a strange folder. How large is it? If under 10MB when sent to a compressed (zipped) folder, would you attach it to an email to me here please.

Please delete the Norton folder.
C:\Programmi\Norton AntiVirus

Would you do that reg search again for me in safe mode please. No need to post it if it's the same.
Any luck finding a location for that file in AVG logs?

Can you identify this file as associated with a known good application?
VVSNI_Cast_webIn st.exe
If not, delete it.

 

I send you that zipped folder by e-mail.
I canceled the file VVSNI_Cast_webIn st.exe: it seemed to be of a WhenU application.
I made that search for msdirectx.sys in safe mode but it shows the same thing than before.
I'm noting something strange: when I open My Computer or C: the icons of some folders appear to be of a clearer yellow than usually! Does this mean anything?!
Thank you!

 

Those are folders that are usually hidden.......system folders. They became visible when you reset Windows Explorer to view hidden files. There are many greyed out files scattered about the drive too. Don't delete any of them!

 

Unfortunately I deleted the AVG virus vault...anyway if that trojan is found again I'll see its location...

 

I recommend you download RegSeeker and extract the files to their own folder. Open and start RegSeeker.exe. Click 'clean registry' and when the scan is complete, make sure the backup box in the lower left corner is checked and click Select All, then click select all again. Right click within the results and choose delete. Open your installed programs, control panel, add/remove programs, etc. and do a quick check of things to see that they all work properly. If not, click the backup button in RegSeeker, double click the backup file and check the apps again. Otherwise, do another clean registry and repeat. Do this until no results come up in a scan. Reboot.

Go get those Windows Updates and post back with a new HijackThis log and MWAV scan when done.

 

That folder is full of backup files created when doing an update or upgrade on 4-8-2003 at 2:00 pm. I'm assuming it's one of those greyed out folders? It's fine.

 

I loaded RegSeeker: I deleted those files a lot of time but each time I click "clean the registry" 26 items are found...
That strange folder I sent you is not grey...it's yellow as the other ones
I send you the hijack log and the MWAV one:

Logfile of HijackThis v1.99.1
Scan saved at 12.17.20, on 04/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\OPLIMIT\ocrawr32.exe
C:\Documents and Settings\Paola Iacovazzo\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82 "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title= "CorelDRAW Graphics Suite 12" /date=061305 serial=DR12WTX-9999998-YSP lang=EN
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108986459703
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe


That's the MWAV log:


Object "WhenU Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WhenU Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PrevAdX.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll ". Action Taken: No Action Taken.
File C:\Documents and Settings\Paola Iacovazzo\Documenti\Installazioni\VVSNI_Cast_webInst-1.exe tagged as "not-a-virus:AdWare.SaveNow.bi ". Action Taken: No Action Taken.
File C:\Programmi\File comuni\WhenU\EmbedSE.dll tagged as "not-a-virus:AdWare.SaveNow.bb ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB45B31F-A190-4F3B-AB09-839B908BD3F0}\RP1\A0000030.dll tagged as "not-a-virus:AdWare.SaveNow.bb ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB45B31F-A190-4F3B-AB09-839B908BD3F0}\RP1\A0001044.exe tagged as "not-a-virus:AdWare.SaveNow.ay ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB45B31F-A190-4F3B-AB09-839B908BD3F0}\RP1\A0001046.exe tagged as "not-a-virus:AdWare.SaveNow.as ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB45B31F-A190-4F3B-AB09-839B908BD3F0}\RP1\A0001047.exe tagged as "not-a-virus:AdWare.SaveNow.bd ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB45B31F-A190-4F3B-AB09-839B908BD3F0}\RP1\A0001048.dll tagged as "not-a-virus:AdWare.SaveNow.az ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB45B31F-A190-4F3B-AB09-839B908BD3F0}\RP1\A0001049.exe tagged as "not-a-virus:AdWare.SaveNow.az ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB45B31F-A190-4F3B-AB09-839B908BD3F0}\RP1\A0001050.exe tagged as "not-a-virus:AdWare.SaveNow.ay ". Action Taken: No Action Taken.

 

Did you delete the WhenU folder?
C:\Programmi\File comuni\WhenU

And the VVSNI_Cast_webIn st-1.exe file?
C:\Documents and Settings\Paola Iacovazzo\Documenti\Installazioni\VVSNI_Cast_webIn st-1.exe

Your HijackThis log is clean.

Right click My Computer and choose properties. On System Restore tab, check the box to turn off. OK out. Reboot and turn System Restore back on.

I didn't mean to imply the folder was grey, but faded out. Open My Computer and click Tools on the menu bar, then folder options. Click the view tab, scroll down and check the boxes next to 'do not show hidden files and folders' and 'hide protected operating system files'. Click Apply and then OK.

Reboot and run RegSeeker again. Let me know how that goes.

Go get the Windows Updates!! Click Start>All Programs>Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

When done, I also recommend you download Spybot Version 1.4 from my signature, install and update (uninstall the old version). Allow it to load SD Helper. Search for and download all available updates. Open it up and click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Then click tools button, then IE tweaks and at least lock the HOSTS file.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

That will give you some added layers of protection against unwanted parasites.