vmmdiag32.exe yeah

I followed pretty much all the steps in previous threads and it seems to have fixed everything just wanna know if I missed somethin along the way that I need or can remove

Logfile of HijackThis v1.99.1
Scan saved at 13.07.57, on 12/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton Personal Firewall\NISUM.EXE
C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\Norton Personal Firewall\SymProxySvc.exe
C:\Programmi\Norton Personal Firewall\NISSERV.EXE
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Norton Personal Firewall\ATRACK.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iamapp] C:\Programmi\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Billminder.lnk = C:\Programmi\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Programmi\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CA86A9-046E-4D9E-8918-1DE1FBF93564}: NameServer = 85.255.114.194,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CEF176B-19DE-4520-95C1-FCD6C10EBAA2}: NameServer = 85.255.114.194,85.255.112.167
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Programmi\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Programmi\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Programmi\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

 

ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Marco\Documenti\Marco\Cleaners\ComboFix "

((((((((((((((((((((((((((((((( Files Created from 2006-10-12 to 2006-11-12 ))))))))))))))))))))))))))))))))))


2006-11-11 14:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-11 13:04 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-11 12:35 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-11-11 12:35 7,483 --a------ C:\clean.bat
2006-11-11 12:35 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-11 12:35 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-11-11 12:35 38,400 --a------ C:\WINDOWS\system32\moveex.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-12 12:36 -------- d-------- C:\Programmi\HaxFix
2006-11-12 12:31 -------- d-------- C:\Programmi\File comuni\Symantec Shared
2006-11-12 12:31 -------- d-------- C:\Programmi\File comuni
2006-11-12 12:24 -------- d-------- C:\Programmi\Norton Personal Firewall
2006-11-11 14:53 -------- d-------- C:\Programmi\Grisoft
2006-11-11 11:34 -------- d-------- C:\Programmi\Norton AntiVirus
2006-11-11 11:26 -------- d-------- C:\Programmi\Internet Explorer
2006-11-11 10:29 -------- d-------- C:\Programmi\Warcraft III
2006-10-24 21:43 -------- d-------- C:\Programmi\eMule
2006-09-23 09:40 -------- d-------- C:\Programmi\Trillian
2006-09-13 10:47 -------- d-------- C:\Programmi\Teamspeak2_RC2
2006-09-13 10:47 -------- d-------- C:\Documents and Settings\Marco\Dati applicazioni\teamspeak2
2006-09-03 14:25 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-09-03 14:25 139264 --a------ C:\WINDOWS\War3Unin.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "
"Yahoo! Pager "= "C:\\Programmi\\Yahoo!\\Messenger\\ypager.exe -quiet "
"MsnMsgr "= "\ "C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"iamapp "= "C:\\Programmi\\Norton Personal Firewall\\IAMAPP.EXE "
"EM_EXEC "= "C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE "
"ccApp "= "\ "C:\\Programmi\\File comuni\\Symantec Shared\\ccApp.exe\" "
"SSC_UserPrompt "= "C:\\Programmi\\File comuni\\Symantec Shared\\Security Center\\UsrPrmpt.exe "
"NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe "
"SunJavaUpdateSched "= "C:\\Programmi\\Java\\jre1.5.0_01\\bin\\jusched.exe "
"QuickTime Task "= "\ "C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime "
"!AVG Anti-Spyware "= "\ "C:\\Programmi\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "Pagina iniziale corrente "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Precaricatore Browseui "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Daemon di cache delle categorie di componenti "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-12 12:38:45.56
C:\ComboFix.txt ... 06-11-12 12:38
C:\ComboFix2.txt ... 06-11-11 13:44

 

"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Yahoo! Pager" = "C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet" [file not found]
"MsnMsgr" = " "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" [ "NVIDIA Corporation"]
"iamapp" = "C:\Programmi\Norton Personal Firewall\IAMAPP.EXE" [ "Symantec Corporation"]
"EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [ "Logitech Inc. "]
"ccApp" = " "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" " [ "Symantec Corporation"]
"SSC_UserPrompt" = "C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe" [ "Symantec Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ "Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe" [ "Sun Microsystems, Inc."]
"QuickTime Task" = " "C:\Programmi\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"!AVG Anti-Spyware" = " "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" [ "Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class "
\InProcServer32\(Default) = "C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper "
-> {HKLM...CLSID} = "CNavExtBho Class "
\InProcServer32\(Default) = "C:\Programmi\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer "
-> {HKLM...CLSID} = "Desktop Explorer "
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office10\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class "
-> {HKLM...CLSID} = "DesktopContext Class "
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" [ "NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper "
-> {HKLM...CLSID} = "NVIDIA CPL Extension "
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu "
-> {HKLM...CLSID} = "nView Desktop Context Menu "
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension "
-> {HKLM...CLSID} = "MCLiteShellExt Class "
\InProcServer32\(Default) = "C:\Programmi\ICQLite\ICQLiteShell.dll" [empty string]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "C:\Programmi\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5 "
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object "
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [ "Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945} "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654} "
-> {HKLM...CLSID} = "MCLiteShellExt Class "
\InProcServer32\(Default) = "C:\Programmi\ICQLite\ICQLiteShell.dll" [empty string]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Programmi\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654} "
-> {HKLM...CLSID} = "MCLiteShellExt Class "
\InProcServer32\(Default) = "C:\Programmi\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Programmi\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]


Default executables:
--------------------

HKLM\Software\Classes\htafile\shell\open\command\(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


Startup items in "Marco" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
"Billminder" -> shortcut to: "C:\Programmi\QUICKENW\BILLMIND.EXE -startup" [file not found]
"Microsoft Office" -> shortcut to: "C:\Programmi\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe" [ "Microsoft® Corporation"]
"Quicken Startup" -> shortcut to: "C:\Programmi\QUICKENW\QWDLLS.EXE" [file not found]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~3\Navw32.exe /task: "C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus\Tasks\mycomp.sca" " [ "Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Programmi\File comuni\Symantec Shared\NMain.exe /dat:C:\Programmi\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule" [ "Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE" [ "Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Programmi\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Programmi\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Programmi\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Ricerche "
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Ricerche "

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite "
"MenuText" = "ICQ Lite "
"Exec" = "C:\Programmi\ICQLite\ICQLite.exe" [ "ICQ Ltd."]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for specific service (i.e., "www ")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
<<H>> "www." = " "


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings ")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://gw.aliceadsl.it/home

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe" [ "Anti-Malware Development a.s."]
Machine Debug Manager, MDM, " "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe" " [MS]
Norton AntiVirus Auto Protect Service, navapsvc, " "C:\Programmi\Norton AntiVirus\navapsvc.exe" " [ "Symantec Corporation"]
Norton Personal Firewall Accounts Manager, NISUM, "C:\Programmi\Norton Personal Firewall\NISUM.EXE" [ "Symantec Corporation"]
Norton Personal Firewall Proxy Service, SymProxySvc, "C:\Programmi\Norton Personal Firewall\SymProxySvc.exe" [ "Symantec Corporation"]
Norton Personal Firewall Service, NISSERV, "C:\Programmi\Norton Personal Firewall\NISSERV.EXE" [ "Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" [ "Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" [ "NVIDIA Corporation"]
SAVScan, SAVScan, "C:\Programmi\Norton AntiVirus\SAVScan.exe" [ "Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" [ "Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe" [ "Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, " "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe" " [ "Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, " "C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe" " [ "Symantec Corporation"]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "Lkbdflt2" [ "Logitech, Inc."]

 

Welcome to the forums Throttle.

Seems like you got most of whatever was there, but I have no way to tell, because I never saw what was in any of the logs before you fixed anything.

You need to use HJt to fix the 017 lines:
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CA86A9-046E-4D9E-8918-1DE1FBF93564}: NameServer = 85.255.114.194,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\..\{8CEF176B-19DE-4520-95C1-FCD6C10EBAA2}: NameServer = 85.255.114.194,85.255.112.167

After that, you need to update your system. XP SP1 will get you infected at every turn.

 

Not much really

The Panda got a few viruses
Haxfix found only the vmmdiag file and think also wmdconf32.dll

Used killbox to delete on reboot
msupd01.exe
msupd02.exe
vmmdiag32.exe
wmdconf32.dll

didn't delete anythin with HJT only the
F2 - REG:system.ini: Shell=explorer.exe vmmdiag32.exe
was removed after I was finished

Fixwareout report was like this

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Versione 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

And ewido got everything you asked to not be posted pretty much
cept these 3 things which forgot abought to post

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp -> Adware.CoolWebSearch : Ignorato.

C:\Documents and Settings\Marco\Documenti\Marco\CWS Removal\backups\backup-20061111-132753-625-Uninstall.exe -> Downloader.Small.dya : Ignorato.

C:\WINDOWS\system32\1024 -> Trojan.Small : Ignorato.

didn't quite know what ta look for in combofix or silentrunner
somethings in silentrunner didn't look right

Though I do got a question after I ran the fixwareout these popped up in HJT
O4 - Global Startup: Billminder.lnk = C:\Programmi\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Programmi\QUICKENW\QWDLLS.EXE
wonderin if I can take them out or if they had to be there in the 1st place

and what these are
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx

and if I can take these out
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet

and thanks for all the help the previous posts were usefull, didn't wanna bug ya if could get most done just by following previous instructions

 

OK, glad to see you got things sorted out on your own. Nice work.

These are all start ups, which will run with each account whenever users log in. If you don't need them to load, then by all means change their start up details.

You can use something like WinPatrol for that.

The 014 is related to when you use the IE reset button in the Internet Options dialog box. That page listed is what the 'default' setting is for your machine.

The 03 line is for the ActiveX control for WMP.

If you don't use them, and they are uninstalled, yes you can fix those.

 

Thankyou for everything

 

Glad we could be of assistance.

Don't forget to get yourself updated. Or you'll be back here pretty quick looking at other logs trying to figure out what you need to get whatever new infection you get off your machine.


To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom


Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.