my customer's notebook (hjt, combofix, gmer logs)

Got a notebook to 'clean'.. It has NIS2006 on. Virit and NAV didn't find anything more, but the pc has stills problems. Plus, if I install prevx1 the system gives me BSOD on reboot)

Here are my logs, however. Thanks in advance.

************************************HJT

Logfile of HijackThis v1.99.1
Scan saved at 16.31.41, on 20/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\bmwebcfg.exe
c:\jet95\jsdaemon.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
F:\cure\gmer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\cure\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: load=
O1 - Hosts: 205.214.67.212 auto.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\bmbho.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Winsystem] C:\WINDOWS\system32\Winsystema\Freevideo5.EXE -n
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Winsystem - {491A5872-C30F-4E54-8FF1-BF31CC73DC4B} - C:\WINDOWS\system32\WINSYS~1\FREEVI~1.EXE (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O12 - Plugin for .mid: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{330EB682-B9CC-4A8B-9354-1AE3BCA9D3C8}: NameServer = 151.99.125.2,151.99.125.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E62A380-3388-48BD-A87E-1CD382B25A17}: NameServer = 151.99.125.2,151.99.0.100
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\Norton Internet Security\comHost.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jet95\jsdaemon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe

************************COMBOFIX

Elena - 06-12-20 16.43.05,43 Service Pack 2
ComboFix 06.11.27 - Running from: "F:\ "

((((((((((((((((((((((((((((((( Files Created from 2006-11-20 to 2006-12-20 ))))))))))))))))))))))))))))))))))


2006-12-20 15:59 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-12-20 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2006-12-20 11:59 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-12-20 11:42 <DIR> d-------- C:\WINDOWS\CSC
2006-12-20 11:05 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-12-20 10:56 <DIR> d-------- C:\SOPHTEMP
2006-12-12 10:19 <DIR> d-------- C:\Programmi\Data Access
2006-11-21 11:55 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2006-11-21 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2006-11-21 11:40 <DIR> d-------- C:\Programmi\SpywareBlaster


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 07:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 09:34 -------- d--h----- C:\Programmi\FX Uninstall Information
2006-10-20 02:38 714752 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 13:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 13:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 13:35 143360 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS "= "\ "C:\\Programmi\\Messenger\\msmsgs.exe\" /background "
"CTFMON.EXE "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"Skype "= "\ "C:\\Programmi\\Skype\\Phone\\Skype.exe\" /nosplash /minimized "
"updateMgr "= "\ "C:\\Programmi\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr "= "C:\\Programmi\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Programmi\\Synaptics\\SynTP\\SynTPEnh.exe "
"SoundMan "= "SOUNDMAN.EXE "
"LManager "= "C:\\Programmi\\Launch Manager\\QtZgAcer.EXE "
"ATIPTA "= "C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"AGRSMMSG "= "AGRSMMSG.exe "
"Adobe Photo Downloader "= "\ "C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"ccApp "= "\ "C:\\Programmi\\File comuni\\Symantec Shared\\ccApp.exe\" "
"KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Winsystem "= "C:\\WINDOWS\\system32\\Winsystema\\Freevideo5.EXE -n "
"DataLayer "= "C:\\PROGRA~1\\FILECO~1\\PCSuite\\DATALA~1\\DATALA~1.EXE "
"PCSuiteTrayApplication "= "C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "file:///D:/OFFICE/FOTOFAMILY/GIOVI.jpg "
"SubscribedURL "= "file:///D:/OFFICE/FOTOFAMILY/GIOVI.jpg "
"FriendlyName "=" "
"Flags "=dword:00000001
"Position "=hex:2c,00,00,00,a6,01,00,00,e7,00,00,00,9c,00,00,00,90,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,6b,03,00,00,0d,00,00,00,4c,02,00,00,b7,01,\
00,00,01,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,21,03,00,00,20,00,00,00,4c,02,00,00,e0,01,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "Pagina iniziale corrente "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,f8,03,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,f8,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Precaricatore Browseui "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Daemon di cache delle categorie di componenti "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"NoActiveDesktop "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Acrobat Speed Launcher.lnk]
"backup "= "C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup "
"location "= "Common Startup "
"item "= "Adobe Acrobat Speed Launcher "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^BTTray.lnk]
"backup "= "C:\\WINDOWS\\pss\\BTTray.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\WIDCOMM\\BLUETO~1\\BTTray.exe "
"item "= "BTTray "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Live Menu.lnk]
"backup "= "C:\\WINDOWS\\pss\\Live Menu.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\FILECO~1\\efax\\dllcmd32.exe /R /K C:\\PROGRA~1\\FILECO~1\\efax\\HsPfcW32.dll,JSPFCWSetHooking,1,0,0,0 "
"item "= "Live Menu "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Stato di HP LaserJet 3150.lnk]
"backup "= "C:\\WINDOWS\\pss\\Stato di HP LaserJet 3150.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\jet95\\JETSTAT.EXE "
"item "= "Stato di HP LaserJet 3150 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "optimize "
"hkey "= "HKLM "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "istsvc "
"hkey "= "HKLM "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfAccuracy]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SAcc "
"hkey "= "HKLM "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZia]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "kmojsacc "
"hkey "= "HKLM "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Esegui scansione completa del sistema - Elena.job

Completion time: 06-12-20 16:43:55.46
C:\ComboFix2.txt ... 06-12-20 16:35
C:\ComboFix.txt ... 06-12-20 16:43




************************GMER

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-20 16:24:37
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 82D1D0D0 ZwAlertResumeThread
SSDT 82CD9D28 ZwAlertThread
SSDT 82B521D0 ZwAllocateVirtualMemory
SSDT 82F2B488 ZwConnectPort
SSDT \??\C:\Programmi\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 82CB80A8 ZwCreateMutant
SSDT 82D691D0 ZwCreateThread
SSDT \??\C:\Programmi\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Programmi\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 82D34358 ZwFreeVirtualMemory
SSDT 82D0C708 ZwImpersonateAnonymousToken
SSDT 82D22B98 ZwImpersonateThread
SSDT 82D22DB0 ZwMapViewOfSection
SSDT 82CA5CC8 ZwOpenEvent
SSDT 82CAB498 ZwOpenProcessToken
SSDT 82CE7540 ZwOpenThreadToken
SSDT 82EC1070 ZwQueryValueKey
SSDT 82EBB1A8 ZwResumeThread
SSDT 82D160D0 ZwSetContextThread
SSDT 82CE6008 ZwSetInformationProcess
SSDT 82CEE518 ZwSetInformationThread
SSDT \??\C:\Programmi\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 82D9B008 ZwSuspendProcess
SSDT 82CDDFD0 ZwSuspendThread
SSDT 82CAB0E8 ZwTerminateProcess
SSDT 82CE6838 ZwTerminateThread
SSDT 82CA57F8 ZwUnmapViewOfSection
SSDT 82C8DB48 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

PAGE ntoskrnl.exe!ZwOpenKey + 5 80567B00 8 Bytes [ 53, 8B, DD, 2B, DD, 4B, 8B, ... ]
PAGE ntoskrnl.exe!ZwEnumerateKey + 7 8056EE6F 8 Bytes [ 51, 8B, C8, 2B, C8, 49, 8B, ... ]
PAGE ntoskrnl.exe!IoCreateFile + 3 80570BF6 8 Bytes [ 50, 8B, C7, 2B, C7, 48, 8B, ... ]
PAGE ntoskrnl.exe!NtQueryDirectoryFile + 3 805744A8 8 Bytes [ 52, 8B, D1, 2B, D1, 4A, 8B, ... ]
PAGE ntoskrnl.exe!NtQuerySystemInformation + 5 8057C4AF 8 Bytes [ 53, 8B, D9, 2B, D9, 4B, 8B, ... ]

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\SYSTEM32\ATTJIT.EXE[2824] ntdll.dll!RtlConvertUlongToLargeInteger + 75 7C9137BA 5 Bytes CALL 003201AA

---- Devices - GMER 1.0.12 ----

Device \Driver\RDPfNet \Device\dacPIPE IRP_MJ_CREATE 824F5FBD
Device \Driver\RDPfNet \Device\dacPIPE IRP_MJ_CLOSE 824F5FBD
Device \Driver\RDPfNet \Device\dacPIPE IRP_MJ_READ 824F5FBD
Device \Driver\RDPfNet \Device\dacPIPE IRP_MJ_WRITE 824F5FBD
Device \Driver\RDPfNet \Device\dacPIPE IRP_MJ_DEVICE_CONTROL 824F5FBD

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\SYSTEM32\ATTJIT.EXE (*** hidden *** ) 2824
Library C:\WINDOWS\SYSTEM32\ATTJIT.EXE (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\ATTJIT.EXE [2824] 0x00400000

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\system32\drivers\agrerial.sys
File C:\WINDOWS\system32\attjit.exe

---- EOF - GMER 1.0.12 ----

 

Hello and welcome to WindowsBBS Forums.

Seems like we have some malware here and there, and looks like you may have already cleaned some up too.


Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.


Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\SYSTEM32\ATTJIT.EXE
C:\WINDOWS\system32\drivers\agrerial.sys
C:\WINDOWS\system32\drivers\pxscrmbl.sys

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Reboot the system.


Then please run the two following online scans.

Panda ActiveScan

• Click the [Scan your PC] button. ( You may have to disable any pop up blockers)
• Then press the green [Check Now] button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Kaspersky Online Scanner

Click on Kaspersky Online Scanner icon.
Accept the Kaspersky agreement and the program will load.
You will then be prompted to install an ActiveX component from Kaspersky, click Yes

The program will then begin downloading the latest definition files. This will take a few minutes, even with hi-speed.
Once the files have been downloaded click on Next

Now click on [Scan Settings] button.
In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
• Extended (if available otherwise Standard)

• Scan Options:
  Scan Archives
  Scan Mail Bases

Click OK

Now under the Please select a target to scan:
Select My Computer

The program will begin the scanning process.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Then click on the [Save as Text] button
Save the file to your desktop.

Copy and paste that information in your next post for me to review.


**Notelease edit out any references to 'cookies', 'Recyler folder' and 'System Volume Information Folder' from both logs


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F3 - REG:win.ini: load=


O1 - Hosts: 205.214.67.212 auto.search.msn.com


O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Winsystem] C:\WINDOWS\system32\Winsystema\Freevideo5.EXE -n


O9 - Extra button: Winsystem - {491A5872-C30F-4E54-8FF1-BF31CC73DC4B} - C:\WINDOWS\system32\WINSYS~1\FREEVI~1.EXE (file missing)


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.
C:\WINDOWS\system32\Winsystema<<<<---this folder


Reboot and GMER then run ComboFix lastly HJT and post all logs back into this thread.

 

Thank you! It worked

 

Still need those logs to verify things are gone.