help with axfreeporn dialer

Hi all!
This is the 1st time I post a question on this forum. Hope I do it correctly
I am experiencing problems while connected to internet. My connection is slow (50kbps) and this dialer drives me crazy

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 16.02.48, on 18/03/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\SOLARI~1\Msde\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
C:\Programmi\StopDialers\StopDialers.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Crazy Browser\Crazy Browser.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Scaricamenti\HJ\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0410&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=0410&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=0410&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=0410&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0410&ac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Programmi\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe

Thanks a lot in advance!!

 

Hi franni & welcome

Yes you posted to the right place.

how is your other programs running? The ones that start at boot.

Download FindAWF from here:
http://noahdfear.geekstogo.com/FindAWF.exe

Save the program to your desktop & run it.

Post the log it produces please.

I can't find much info about this program.:

C:\Programmi\StopDialers\StopDialers.exe

Is that this:

http://209.85.135.104/search?q=cach...x.asp?id=1+StopDialers.exe&hl=en&ct=clnk&cd=2

Thanks

 

Hi Blender,

thanks in advance for your time.
StopDialer is a free tool I downloaded (Stop Dialers- 3.1 Lite Edition - By Socket2000) from the web and allows to list and manage all wanted dial-up connections.

Here is the log you asked for...sorry some parts are in italian

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\CPQS\SCOM\BAK

24/07/01 22.34 36.864 srmclean.exe
1 File 36.864 byte
2 Directory 27.194.900.480 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/04 15.39 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 27.194.900.480 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ALWILS~1\AVAST4\BAK

15/01/07 18.28 108.160 ashDisp.exe
1 File 108.160 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

14/08/02 17.29 290.816 atiptaxx.exe
1 File 290.816 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\HPQ\DEFAUL~1\BAK

23/10/02 13.19 176.197 cpqset.exe
1 File 176.197 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\HPQ\NOTEBO~1\BAK

15/08/02 06.26 45.056 hptasks.exe
1 File 45.056 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\HPQ\ONE-TO~1\BAK

14/10/02 18.57 98.304 OneTouch.EXE
1 File 98.304 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

09/09/02 23.41 557.056 SynTPEnh.exe
09/09/02 23.42 126.976 SynTPLpr.exe
2 File 684.032 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

18/08/05 10.49 307.200 AdobeUpdateManager.exe
1 File 307.200 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\FILECO~1\REAL\UPDATE~1\BAK

14/12/05 22.39 180.269 realsched.exe
1 File 180.269 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\JAVA\JRE15~1.0\BIN\BAK

06/04/05 21.38 36.972 jusched.exe
1 File 36.972 byte
2 Directory 27.194.896.384 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785


26/03/03 10.15 684.032 DirectCD.exe
1 File 684.032 byte
2 Directory 27.194.892.288 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

07/07/05 18.41 57.344 apdproxy.exe
1 File 57.344 byte
2 Directory 27.194.892.288 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

23564 26 Feb 2007 "C:\cpqs\scom\srmclean.exe "
36864 24 Jul 2001 "C:\cpqs\scom\bak\srmclean.exe "
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
108160 15 Jan 2007 "C:\Programmi\Alwil Software\Avast4\ashDisp.exe "
108160 15 Jan 2007 "C:\Programmi\Alwil Software\Avast4\bak\ashDisp.exe "
23564 26 Feb 2007 "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe "
290816 14 Aug 2002 "C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe "
176197 23 Oct 2002 "C:\SWSETUP\Default\Cpqset.exe "
23564 26 Feb 2007 "C:\Programmi\HPQ\Default Settings\cpqset.exe "
176197 23 Oct 2002 "C:\Programmi\HPQ\Default Settings\bak\cpqset.exe "
23564 26 Feb 2007 "C:\Programmi\HPQ\Notebook Utilities\hptasks.exe "
45056 15 Aug 2002 "C:\Programmi\HPQ\Notebook Utilities\bak\hptasks.exe "
23564 26 Feb 2007 "C:\Programmi\HPQ\One-Touch\OneTouch.EXE "
98304 14 Oct 2002 "C:\SWSETUP\OneTouch\Disk1\ONETOUCH.EXE "
98304 14 Oct 2002 "C:\Programmi\HPQ\One-Touch\bak\OneTouch.EXE "
557056 9 Sep 2002 "C:\SWSETUP\Touchpad\SynTPEnh.exe "
23564 26 Feb 2007 "C:\Programmi\Synaptics\SynTP\SynTPEnh.exe "
557056 9 Sep 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe "
126976 9 Sep 2002 "C:\SWSETUP\Touchpad\SynTPLpr.exe "
23564 26 Feb 2007 "C:\Programmi\Synaptics\SynTP\SynTPLpr.exe "
126976 9 Sep 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe "
23564 26 Feb 2007 "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe "
307200 18 Aug 2005 "C:\Programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe "
23564 26 Feb 2007 "C:\Programmi\File comuni\Real\Update_OB\realsched.exe "
180269 14 Dec 2005 "C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe "
23564 26 Feb 2007 "C:\Programmi\Java\jre1.5.0\bin\jusched.exe "
36972 6 Apr 2005 "C:\Programmi\Java\jdk1.5.0\jre\bin\jusched.exe "
36972 6 Apr 2005 "C:\Programmi\Java\jre1.5.0\bin\bak\jusched.exe "
23564 26 Feb 2007 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
684032 26 Mar 2003 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe "
57344 7 Jul 2005 "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "


end of report

 

By the way, the tool Stop Dialer I have is the one from the link you found

 

Hi franni,

Thanks for telling me about that program. I thought it looked OK but I can't read Italian. I did ask a collegue of mine who can.

Please print out or save instructions to notepad. We'll need to be in safe mode to do the fix.

Preperation:

The attached file is for this computer ONLY!. This infection requires a different fix for each user. This file will NOT work on other computers!

1.) Attached to post is file called remawf.zip.
Please download this file, save it to desktop and unzip it.
You should have remawf.bat when done.
Do nothing with it yet.

2.) Download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop.
Do nothing with it yet.

3.) Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg
Do nothing with it yet.

4.) Download ATF Cleaner by Atribune and save it to your Desktop.

http://www.atribune.org/ccount/click.php?id=1

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

Fixing:

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

Once started the graphics will look awful. Normal for safe mode.

1.) Locate ResetProtocolDefaults.reg
Right click it> choose merge
Answer yes and OK.

This resets your default IE security settings.

2.) locate DelDomains.inf
Right click it, choose install
You won't see much happening. curser might flicker but that is it.

This removes bad domains from trusted zone.

3.) Locate remawf.bat you saved earlier.
Double click it and let it run.
You will see a "dos" box flash up & dissapear. Normal.

This replaces the trojaned files with the backups.

4.) Restart to normal mode. (restart the computer as usual)

5.) Start Hijackthis
Run system scan & save log file.
Post log here.

6.) Run FindAwf again and post the log it creates.

7.) Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save report button.
• Call it Kaspersky.txt
• Expand the arrow beside "file types" and save as .txt file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

It may take a couple posts to get all logs in.
If Kaspersky log is huge you can upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Do include link to this thread so I know who the log belongs to.

Let me know how the computer is running.

Thanks

If you had SpywareBlaster or IE-Spyads installed you will need to re-enable protection for SpywareBlaster and re-install IE-Spyads because when we fixed the bad items added we also removed protection these programs offer.

 

Hi, Franni:

There are several, free spyware removers which should help.

1) AdAware SE Personal Edition.
http://www.download.com/3000-2144-10045910.html

2) SpyBot Search & Destroy.
http://www.spybot.info/en/download/index.html

Let me know how it goes.

/.\ Orang /.\

 

Hello orang and welcome to WindowsBBS forums.

As good a scanner as both Spybot and Ad-Aware are, neither can deal with this infection in any way. It requires some specific file searches that they cannot handle. then there are some manual removals as well.

We appreciate your eagerness to help, but we'd appreciate it if you'd let those more experienced in malware removal take care of our users.

Thanks for understanding.

 

Hi,

thanks for all the detailed information!!!

Here is the log from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 22.55.42, on 21/03/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\SOLARI~1\Msde\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
C:\Programmi\StopDialers\StopDialers.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Scaricamenti\HJ\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=0410&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0410&ac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Programmi\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe


and this the one from AWF


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\CPQS\SCOM\BAK

24/07/01 22.34 36.864 srmclean.exe
1 File 36.864 byte
2 Directory 27.608.510.464 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/04 15.39 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 27.608.510.464 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ALWILS~1\AVAST4\BAK

15/01/07 18.28 108.160 ashDisp.exe
1 File 108.160 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

14/08/02 17.29 290.816 atiptaxx.exe
1 File 290.816 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\HPQ\DEFAUL~1\BAK

23/10/02 13.19 176.197 cpqset.exe
1 File 176.197 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\HPQ\NOTEBO~1\BAK

15/08/02 06.26 45.056 hptasks.exe
1 File 45.056 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\HPQ\ONE-TO~1\BAK

14/10/02 18.57 98.304 OneTouch.EXE
1 File 98.304 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

09/09/02 23.41 557.056 SynTPEnh.exe
09/09/02 23.42 126.976 SynTPLpr.exe
2 File 684.032 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

18/08/05 10.49 307.200 AdobeUpdateManager.exe
1 File 307.200 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\FILECO~1\REAL\UPDATE~1\BAK

14/12/05 22.39 180.269 realsched.exe
1 File 180.269 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\JAVA\JRE15~1.0\BIN\BAK

06/04/05 21.38 36.972 jusched.exe
1 File 36.972 byte
2 Directory 27.608.506.368 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785


26/03/03 10.15 684.032 DirectCD.exe
1 File 684.032 byte
2 Directory 27.608.502.272 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 5879-B785

Directory di C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

07/07/05 18.41 57.344 apdproxy.exe
1 File 57.344 byte
2 Directory 27.608.502.272 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

36864 24 Jul 2001 "C:\cpqs\scom\srmclean.exe "
36864 24 Jul 2001 "C:\cpqs\scom\bak\srmclean.exe "
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
108160 15 Jan 2007 "C:\Programmi\Alwil Software\Avast4\ashDisp.exe "
108160 15 Jan 2007 "C:\Programmi\Alwil Software\Avast4\bak\ashDisp.exe "
290816 14 Aug 2002 "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe "
290816 14 Aug 2002 "C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe "
176197 23 Oct 2002 "C:\SWSETUP\Default\Cpqset.exe "
176197 23 Oct 2002 "C:\Programmi\HPQ\Default Settings\cpqset.exe "
176197 23 Oct 2002 "C:\Programmi\HPQ\Default Settings\bak\cpqset.exe "
45056 15 Aug 2002 "C:\Programmi\HPQ\Notebook Utilities\hptasks.exe "
45056 15 Aug 2002 "C:\Programmi\HPQ\Notebook Utilities\bak\hptasks.exe "
98304 14 Oct 2002 "C:\Programmi\HPQ\One-Touch\OneTouch.EXE "
98304 14 Oct 2002 "C:\SWSETUP\OneTouch\Disk1\ONETOUCH.EXE "
98304 14 Oct 2002 "C:\Programmi\HPQ\One-Touch\bak\OneTouch.EXE "
557056 9 Sep 2002 "C:\SWSETUP\Touchpad\SynTPEnh.exe "
557056 9 Sep 2002 "C:\Programmi\Synaptics\SynTP\SynTPEnh.exe "
557056 9 Sep 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe "
126976 9 Sep 2002 "C:\SWSETUP\Touchpad\SynTPLpr.exe "
126976 9 Sep 2002 "C:\Programmi\Synaptics\SynTP\SynTPLpr.exe "
126976 9 Sep 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe "
307200 18 Aug 2005 "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe "
307200 18 Aug 2005 "C:\Programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe "
180269 14 Dec 2005 "C:\Programmi\File comuni\Real\Update_OB\realsched.exe "
180269 14 Dec 2005 "C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe "
36972 6 Apr 2005 "C:\Programmi\Java\jre1.5.0\bin\jusched.exe "
36972 6 Apr 2005 "C:\Programmi\Java\jdk1.5.0\jre\bin\jusched.exe "
36972 6 Apr 2005 "C:\Programmi\Java\jre1.5.0\bin\bak\jusched.exe "
684032 26 Mar 2003 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
684032 26 Mar 2003 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe "
57344 7 Jul 2005 "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "


end of report

Kaspersky is only at 9%...I may be awake the whole night

 

...23%...
Does anyone know a good free firewall?
How is winsock-firewall-2.0, any good?
...31%..

 

Hi,

Thanks for the log. Looking good. Lets hope Kaspersky scan turns out well.
I hope you got some sleep!

I never heard of Winsock-Firewall. Not sure how good it is.

However I do have a short list of good freebies
Only pick one though so you don't have conflicts.
The new firewall will want to shut off the windows one. Do let it.

Zone Alarm:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Outpost:
http://www.agnitum.com/products/outpostfree/download.php

Comodo:
http://www.personalfirewall.comodo.com/

Sunbelt kerio:
http://www.sunbelt-software.com/Kerio.cfm

Understanding and using firewalls:

http://www.bleepingcomputer.com/tutorials/tutorial60.html

---------------------

Those "bak" folders we should clean up.

Copy the following text inside code box to a new notepad file.
Save as file name: Finish.bat
As file types: All Files
Save it to the desktop.

Code:

@echo off

rmdir /s /q  "C:\cpqs\scom\bak "
rmdir /s /q  "C:\WINDOWS\system32\bak "
rmdir /s /q  "C:\Programmi\Alwil Software\Avast4\bak "
rmdir /s /q  "C:\Programmi\ATI Technologies\ATI Control Panel\bak "
rmdir /s /q  "C:\Programmi\HPQ\Default Settings\bak "
rmdir /s /q  "C:\Programmi\HPQ\Notebook Utilities\bak "
rmdir /s /q  "C:\Programmi\HPQ\One-Touch\bak "
rmdir /s /q  "C:\Programmi\Synaptics\SynTP\bak "
rmdir /s /q  "C:\Programmi\Adobe\Acrobat 7.0\Reader\bak "
rmdir /s /q  "C:\Programmi\File comuni\Real\Update_OB\bak "
rmdir /s /q  "C:\Programmi\Java\jre1.5.0\bin\bak "
rmdir /s /q  "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak "
rmdir /s /q  "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak "

Once you have it saved, double click it to run.
A "dos" window will flash up and dissapear. Normal.

This just deletes the "bak" folders where the trojan put copies of your good files.

You can delete the following:

Fixawf.bat & its zip
DelDomains.inf
ResetPorotocols.reg
Finish.bat

I'd keep that ATF-Cleaner.
Handy tool for cleaning up your temporary files.

Next time you use it though I would untick "prefetch ".
Prefetch folder is what helps load your programs faster.
We only emptied it out this time because of malware.

I'll check back when you post the Kaspersky log or if you run into problems.

 

Hi Blender,

let's see if i can put a comment this time.
I keep getting an error message while connected on the internet, once was IE, another time svchost.exe which gives me an application error, turns my screen into white background and disconnect me from the internet connection.
This is why last night I got to 80% scanning and then I had to switch off.
Today is the 2nd time I try.
I'll put the log once I manage to get it

thanks again and have a nice day!

 

Hi,

Might need to wait for that scan till things are working better.

Can you post me a fresh hijackthis log and a fresh FindAWF log please.

Are you on dial-up?
Please check here:

Open Internet options in your control panel
Click the "connections" tab
Under Dialup and VPN connections if "axfreeporn" is listed; hilight it and choose "remove "
Ok the prompt if you get one.

let me know if the ax connection was present. It is not alwyas present.

Thanks

 

Hi Blender,

I am on dial-up correct, I removed manually the AxFreePorn connection and now I am surfing the web without being annoyed from that dialer(finger crossed).

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 22.14.46, on 22/03/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\SOLARI~1\Msde\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Crazy Browser\Crazy Browser.exe
C:\Programmi\TextPad 4\TextPad.exe
C:\Scaricamenti\HJ\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0410&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0410&ac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Programmi\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6514F0BA-F212-4A9D-A79B-399B57C3D9D8}: NameServer = 62.94.0.41 62.94.0.42
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe

---------
Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

Last one seems quite clear
As far as I can remember, the application error arised after over 30mins I was connected (it happened at least 3 or 4 times but not every day).

 

Hi,

Good to hear things are working better.
Both logs look clean.

I suspect you were getting those errors because AxFreePorn had set itself as default connection and since the files were gone...you got error.
As soon as you deleted AxFreePorn your true connection moved up back to default as it was before infection.

Your own antivirus scans run clean?

We can delete the tools we used to clean up the infection (if you didn't already):

FindAWF.exe (and its logs)
ResetProtocolDefaults.reg
DElDomains.inf
Those batch files I had you download (fixawf.bat, finish.bat)

In addition to one of the firewalls I had mentioned earlier there are a couple other programs you will benifet from.

IE-Spyad <--this puts several thousand sites in restricted zone for IE. If you happen on a site within its list they can't hijack you or install anything.
Program is free and updated about once a month.

Tutorial:

http://www.bleepingcomputer.com/tutorials/tutorial53.html

Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts more sites in restricted zone.
Install> update> enable all protection.
Updates are about once a month and is free.

Install an alternative browser for day to day surfing.
These 2 are free and have alot less security issues than IE:

Opera Browser

FireFox Browser

Other good suggestions/tips to help you stay clean at these links:

http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
http://boards.cexx.org/index.php?topic=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml


After a few reboots and checking to see that all is well; it is highly recommended to reset your system restore to remove any possible backed up infected files there.

Right click "my computer "
Click "properties "
Click "system restore" tab
Checkmark "turn off system restore "
Hit apply> ok> ok.

Reboot

Go back and turn system restore back on by removing the check, hit apply, and OK.

A new restore point is created at this time.
You will not be able to restore computer to any earlier than today.

Keep well & surf safe!

Tammy

 

Hi,

here I am back.
I installed Mozilla and a light firewall called ISafer (just as a start) but I keep getting errors with
"Generic host process for win32 services has encountered a problem and needs to close "
after I while I am connected to internet.
I thought it was dur to printer drivers but removing them, didn't help.
I just looked at your site and found that many other people have the same issue.
Any suggestions?

thanks again a lot!

 

Hi,

Since it has been a while can you post a fresh hijackthis log please?

Thanks

 

I should have thought about it..here it comes

Logfile of HijackThis v1.99.1
Scan saved at 22.25.51, on 03/04/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\SOLARI~1\Msde\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
C:\Programmi\PSMKorea\iSafer\iSafer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Scaricamenti\HJ\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=0410&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0410&ac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Programmi\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6514F0BA-F212-4A9D-A79B-399B57C3D9D8}: NameServer = 62.94.0.41 62.94.0.42
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe

thanks

 

Hi,

Download Deckard's System Scanner to your Desktop.:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.

Please post Extra.txt as well.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

You may need to use 2 posts to get both logs in.

Thanks

 

FYI, I have found the error message on the MS Support site and I have downloaded a fix, MS 894391 but I still have to check if it works or not (the error usually comes up after a while I am connected).


Here is the main.txt provided by the DSS

Deckard's System Scanner v20070328.36
Run by MASSIMO on 2007-04-06 at 14:50:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
21: 2007-04-06 12:50:39 UTC - RP116 - Deckard's System Scanner Restore Point
20: 2007-04-06 10:42:50 UTC - RP115 - Installazione KB894391 per Windows XP completata.
19: 2007-03-28 17:32:23 UTC - RP114 - Punto di arresto del sistema
18: 2007-03-20 17:13:23 UTC - RP113 - Punto di arresto del sistema
17: 2007-03-19 10:21:55 UTC - RP112 - Agnitum Outpost Firewall 1.0 Installation


-- First Restore Point --
1: 2007-01-29 12:09:15 UTC - RP96 - Removed Digimax Master


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as MASSIMO.exe) ---------------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-04-06 14:54:27
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmi\Solari di Udine\Msde\Binn\sqlservr.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\HPQ\One-Touch\OneTouch.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\alg.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
C:\Programmi\StopDialers\StopDialers.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MASSIMO\Desktop\dss.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=0410&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0410&ac
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Programmi\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Solari di Udine\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\NPJPI150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\NPJPI150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe "
O23 - Service: avast! Antivirus - Unknown owner - "C:\Programmi\Alwil Software\Avast4\ashServ.exe "
O23 - Service: avast! Mail Scanner - ALWIL Software - "C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service
O23 - Service: avast! Web Scanner - ALWIL Software - "C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 caboagp (ATI Cabo AGP Filter) - c:\windows\system32\drivers\atisgkaf.sys
R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys
R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys
R1 pwd_2k - c:\windows\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp - c:\windows\system32\drivers\udfreadr_xp.sys
R2 irda (Protocollo IrDA) - c:\windows\system32\drivers\irda.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R2 NwlnkIpx (Protocollo di trasporto compatibile NWLink IPX/SPX/NetBIOS) - c:\windows\system32\drivers\nwlnkipx.sys
R2 NwlnkNb (NWLink NetBIOS) - c:\windows\system32\drivers\nwlnknb.sys
R2 NwlnkSpx (Protocollo NWLink SPX/SPXII) - c:\windows\system32\drivers\nwlnkspx.sys
R2 StreamDispatcher - c:\windows\system32\drivers\strmdisp.sys
R3 CALIAUD (Conexant AMC 3D ENVIRONMENTAL AUDIO) - c:\windows\system32\drivers\caliaud.sys
R3 CALIHALA - c:\windows\system32\drivers\calihal.sys
R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys
R3 DP83815 (National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver) - c:\windows\system32\drivers\dp83815.sys
R3 HPCI (HP Configuration Interface) - c:\windows\system32\drivers\hpci.sys
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
R3 HSFHWALI - c:\windows\system32\drivers\hsfhwali.sys
R3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys
R3 MODEMCSA (Periferica filtro flusso Unimodem) - c:\windows\system32\drivers\modemcsa.sys
R3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys

S3 3C154G (3Com OfficeConnect 802.11g PC Card Driver) - c:\windows\system32\drivers\3c154g72.sys
S3 ALiIRDA (ALi Infrared Device Driver) - c:\windows\system32\drivers\aliirda.sys
S3 allegro (Driver audio ESS Allegro (WDM)) - c:\windows\system32\drivers\es198x.sys
S3 atimpab - c:\windows\system32\drivers\atimpab.sys
S3 CE3 (Servizio scheda Xircom Ethernet 10/100) - c:\windows\system32\drivers\ce3n5.sys
S3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys
S3 nm (Driver di Network Monitor) - c:\windows\system32\drivers\nmnt.sys
S3 TNET1130 (IEEE 802.11g Wireless Cardbus/PCI Adapter) - c:\windows\system32\drivers\tnet1130.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 HPConfig (HP Configuration Interface Service) - c:\windows\system32\hpconfig.exe
R2 HPWirelessMgr - c:\programmi\hpq\notebook utilities\hpwirelessmgr.exe
R2 Irmon (Monitor infrarossi) - c:\windows\system32\svchost.exe -k netsvcs
R2 MSSQLServer - c:\progra~1\solari~1\msde\binn\sqlservr.exe

S3 SQLServerAgent - c:\progra~1\solari~1\msde\binn\sqlagent.exe


-- Scheduled Tasks -------------------------------------------------------------

2005-05-07 23:38:34 110 --a------ C:\WINDOWS\Tasks\Low Battery Alarm Program.job<LOWBAT~1.JOB>


-- Files created between 2007-03-06 and 2007-04-06 -----------------------------

2007-04-04 12:06:38 0 d-------- C:\gescom
2007-04-03 17:28:24 968704 --a------ C:\WINDOWS\system32\hha.dll
2007-04-03 17:23:58 0 d-------- C:\Programmi\ImagEdit
2007-04-03 17:22:41 159744 --a------ C:\WINDOWS\system32\hwdll.dll
2007-04-03 17:22:41 0 d-------- C:\Help Workshop<HELPWO~1>
2007-03-26 20:45:27 0 d-------- C:\WINDOWS\system32\LogFiles
2007-03-25 23:06:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-23 19:10:49 0 -ra------ C:\WINDOWS\system32\TFTP3968
2007-03-23 11:34:33 0 d-------- C:\Programmi\PSMKorea
2007-03-22 00:02:27 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-19 12:19:50 0 d-------- C:\!KillBox
2007-03-16 00:40:41 0 d-------- C:\Programmi\SpywareBlaster<SPYWAR~1>
2007-03-15 18:35:29 0 d-------- C:\BARCODES
2007-03-15 12:42:58 2928 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-14 17:19:26 147456 -ra------ C:\WINDOWS\system32\ZUNINST.EXE
2007-03-14 17:19:24 19456 -ra------ C:\WINDOWS\system32\ZTAG32.DLL
2007-03-14 17:19:24 36864 -ra------ C:\WINDOWS\system32\ZSTATUS.EXE
2007-03-14 17:19:24 86016 -ra------ C:\WINDOWS\system32\ZSPOOL.DLL
2007-03-14 17:19:24 73728 -ra------ C:\WINDOWS\system32\ZSHP1000.DLL
2007-03-14 17:19:24 54784 -ra------ C:\WINDOWS\system32\ZPJL.DLL
2007-03-14 17:19:24 77824 -ra------ C:\WINDOWS\system32\ZLMhp1.DLL
2007-03-14 17:19:24 28672 -ra------ C:\WINDOWS\system32\ZLM.DLL
2007-03-14 17:19:24 9216 -ra------ C:\WINDOWS\system32\ZLANG.DLL
2007-03-14 17:19:24 23552 -ra------ C:\WINDOWS\system32\ZGDI32.DLL
2007-03-14 17:19:24 98304 -ra------ C:\WINDOWS\system32\VSETUP.DLL
2007-03-14 17:19:24 900388 -ra------ C:\WINDOWS\system32\HPFLASH1.EXE
2007-03-14 17:19:23 71168 -ra------ C:\WINDOWS\system32\SD32.DLL
2007-03-14 17:19:23 12288 -ra------ C:\WINDOWS\system32\IMF32.DLL
2007-03-13 16:54:58 0 d-------- C:\WINDOWS\Prefetch
2007-03-12 14:18:36 59392 --a------ C:\WINDOWS\system32\UFLBCODE.DLL
2007-03-12 14:16:42 53248 --a------ C:\WINDOWS\system32\u2lbcode.dll
2007-03-07 16:07:50 225280 -ra------ C:\WINDOWS\system32\CCU3C154.exe
2007-03-07 16:07:50 16831 -ra------ C:\WINDOWS\system32\CCU3C154.dll
2007-03-07 16:07:49 386432 -ra------ C:\WINDOWS\system32\drivers\3C154G72.sys


-- Find3M Report ---------------------------------------------------------------

2007-04-06 14:54:28 0 d-------- C:\Programmi\StopDialers<STOPDI~1>
2007-04-02 19:10:16 406534 --a------ C:\WINDOWS\system32\perfh010.dat
2007-04-02 19:10:16 54168 --a------ C:\WINDOWS\system32\perfc010.dat
2007-03-30 16:34:53 1010 --a------ C:\transaz.dat
2007-03-25 23:06:44 0 d-------- C:\Documents and Settings\MASSIMO\Dati applicazioni\Talkback
2007-03-25 23:06:10 0 d-------- C:\Documents and Settings\MASSIMO\Dati applicazioni\Mozilla
2007-03-25 23:02:43 53096 --a------ C:\Documents and Settings\MASSIMO\Dati applicazioni\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-03-24 18:43:24 0 d-------- C:\Documents and Settings\MASSIMO\Dati applicazioni\TextPad
2007-03-24 00:01:53 1386 --a------ C:\transaz_CONTR.dat<TRANSA~4.DAT>
2007-03-21 18:21:44 0 d-------- C:\Programmi\DivX
2007-03-20 00:17:10 0 d-------- C:\Documents and Settings\MASSIMO\Dati applicazioni\MSN6
2007-03-06 15:25:51 0 d-------- C:\Programmi\File comuni\Designer
2007-03-06 15:25:34 0 d-------- C:\Programmi\File comuni\Microsoft Shared<MICROS~1>
2007-03-04 18:48:19 0 d-------- C:\Programmi\File comuni<FILECO~1>
2007-03-03 15:46:25 0 d--h----- C:\Programmi\InstallShield Installation Information<INSTAL~1>
2007-02-26 22:38:30 0 d-------- C:\Programmi\File comuni\Adobe
2007-02-12 22:36:10 0 d-------- C:\Documents and Settings\MASSIMO\Dati applicazioni\AdobeUM
2007-02-07 13:27:38 0 d---s---- C:\Documents and Settings\MASSIMO\Dati applicazioni\Microsoft<MICROS~1>
2007-01-15 19:32:07 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-15 19:23:20 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"updateMgr "= "C:\\Programmi\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 "
"MSMSGS "= "\ "C:\\Programmi\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange "= "Ati2mdxx.exe "
"CARPService "= "carpserv.exe "
"ATIPTA "= "C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"PreloadApp "= "c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d "
"srmclean "= "C:\\Cpqs\\Scom\\srmclean.exe "
"Display Settings "= "C:\\Programmi\\HPQ\\Notebook Utilities\\hptasks.exe /s "
"QT4HPOT "= "C:\\PROGRA~1\\HPQ\\ONE-TO~1\\OneTouch.EXE "
"SynTPLpr "= "C:\\Programmi\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Programmi\\Synaptics\\SynTP\\SynTPEnh.exe "
"Cpqset "= "C:\\Programmi\\HPQ\\Default Settings\\cpqset.exe "
"AdaptecDirectCD "= "\ "C:\\Programmi\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
"SunJavaUpdateSched "= "C:\\Programmi\\Java\\jre1.5.0\\bin\\jusched.exe "
"TkBellExe "= "\ "C:\\Programmi\\File comuni\\Real\\Update_OB\\realsched.exe\" -osboot "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-04-06 at 14:55:06 ---------

 

And here are the extras:

Deckard's System Scanner v20070328.36
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Italian

CPU 0: Mobile Intel(R) Celeron(R) CPU 2.40GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 446.98 MiB / 218.6 MiB
Pagefile Memory (total/avail): 673.65 MiB / 461.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1991.06 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 37.25 GiB total, 25.53 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirewallOverride is set.

AV: avast! antivirus 4.7.942 [VPS 000730-4] v4.7.942 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\MASSIMO\Dati applicazioni
CLIENTNAME=Console
CommonProgramFiles=C:\Programmi\File comuni
COMPUTERNAME=FRANCESCA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\MASSIMO
JAVA_HOME=C:\Programmi\Java\jdk1.5.0
LOGONSERVER=\\FRANCESCA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Programmi\ATI Technologies\ATI Control Panel;C:\Programmi\File comuni\Adaptec Shared\System;C:\Programmi\Java\jdk1.5.0\bin;C:\Programmi\Solari di Udine\Msde\BINN
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Programmi
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MASSIMO\IMPOST~1\Temp
TMP=C:\DOCUME~1\MASSIMO\IMPOST~1\Temp
USERDOMAIN=FRANCESCA
USERNAME=MASSIMO
USERPROFILE=C:\Documents and Settings\MASSIMO
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

MASSIMO (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Programmi\File comuni\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUn0410.exe -f "C:\Programmi\COMPAQ\Software Setup\Uninst.isu" -c "C:\Programmi\COMPAQ\Software Setup\CPQUNST.DLL "
--> C:\WINDOWS\IsUn0410.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\uninst.exe -fc:\compaq\lutil\DeIsL1.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Reader 7.0.5 - Italiano --> MsiExec.exe /I{AC76BA86-7AD7-1040-7B44-A70500000002}
Aggiornamento per Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe "
Aggiornamento per Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe "
ATI Control Panel --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
BDE ver. 5.11 --> C:\WINDOWS\uninst.exe -f "C:\Programmi\Common Files\Borland Shared\BDE\DeIsL1.isu" -c "C:\Programmi\Common Files\Borland Shared\BDE\_ISREG32.DLL "
CDex extraction audio --> "C:\Programmi\CDex_150\uninstall.exe "
Conexant 56K ACLink Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C\HXFSETUP.EXE -U -Ihpm08505.inf
Conexant AC-Link Audio --> CIAunwdm.exe
DivX --> C:\Programmi\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Programmi\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Player --> C:\Programmi\DivX\DivXPlayerUninstall.exe /PLAYER
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
HijackThis 1.99.1 --> C:\Scaricamenti\HJ\HijackThis.exe /uninstall
HTML Help Workshop --> C:\Program Files\HTML Help Workshop\_instpgm.exe /U
IDAutomation.com Code 39 Free Font --> C:\BARCODES\IDAutomationCode39\IDAutomation.com Code 39 Free Font\uninstall.exe
InterVideo WinDVD --> "C:\Programmi\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iSafer --> C:\PROGRA~1\PSMKorea\iSafer\UNWISE.EXE C:\PROGRA~1\PSMKorea\iSafer\INSTALL.LOG
J2SE Development Kit 5.0 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150000}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
L&H Power Translator Pro 7.0 --> C:\WINDOWS\ISUN0410.EXE -f "C:\Programmi\LHSP\L&H Power Translator Pro\Uninst.isu" -c "C:\Programmi\LHSP\L&H Power Translator Pro\Uninstall.dll "
L&H TTS3000 British English --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSENG.inf, Uninstall
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Office XP Small Business --> MsiExec.exe /I{91130410-6000-11D3-8CFE-0050048383C9}
Microsoft Visual Basic 6.0 Edizione Professional (Italiano) --> "C:\Programmi\Microsoft Visual Studio\VB98\Setup\1040\Setup.exe "
Microsoft Word 2002 --> MsiExec.exe /I{911B0410-6000-11D3-8CFE-0050048383C9}
Microsoft Works 7.0 --> MsiExec.exe /I{BF915BB7-8675-40B3-835B-44A3304ECB7B}
Microsoft® Help Workshop --> C:\WINDOWS\uninst.exe -f "C:\Help Workshop\DeIsLog.1 "
Mozilla Firefox (2.0.0.3) --> C:\Programmi\Mozilla Firefox\uninstall\helper.exe
MSDE --> C:\WINDOWS\IsUninst.exe -f "C:\Programmi\Solari di Udine\Msde\Uninst.isu" -c "C:\Programmi\Solari di Udine\Msde\sqlsun.dll" -msql70.mif
Msde Client --> C:\WINDOWS\uninst.exe -f "C:\Programmi\Solari di Udine\Msde Client\DeIsL1.isu" -c "C:\Programmi\Solari di Udine\Msde Client\_ISREG32.DLL "
MsdeAdmin --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EFD723F0-6DF5-4CC0-9613-EC48C1DBDB0B}
MSDN Library - Visual Studio 6.0a (Italiano) --> "C:\Programmi\Microsoft Visual Studio\MSDN98\98VSa\1040\Setup\Setup.exe "
MSN Messenger 7.5 --> MsiExec.exe /I{1FFA5A4E-03ED-11DA-BFBD-00065BBDC0B5}
Notebook Utilities --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{A8F2DCDE-AE4E-4AC9-BECD-496FB80FBF6A}\Setup.exe" -l0x10 UNINSTALL
One-Touch Buttons --> C:\WINDOWS\UnInst32.exe QT4HPOT.UNI
Pubblicazione guidata sul Web 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
RealPlayer --> C:\Programmi\File comuni\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
S500/S600 USB Driver --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{514DF7BB-D192-417C-BB60-58BF1FD34253}\Setup.exe" anything
SaveNow --> C:\Programmi\SaveNow\Uninst.exe
Seagate Crystal Reports Developer Edition --> MsiExec.exe /I{C0774966-2821-11D3-B32D-00A0C9DA500E}
SpywareBlaster v3.5.1 --> "C:\Programmi\SpywareBlaster\unins000.exe "
StartUtil --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{67E42F7D-B947-46DB-A9AB-39605C00BD40}
STOP Dialers v 3.1 LE --> C:\Programmi\StopDialers\unins000.exe
Synaptics TouchPad --> rundll32.exe "C:\Programmi\Synaptics\SynTP\SynISDLL.dll ",standAloneUninstall
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
Time&Cost --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{17757A1B-D96E-40D6-A213-91E30C2A4BA3}
Time&Work --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51F6655A-9037-4A3C-8969-B7A5555D3713}
Utilità di backup di Windows --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Winamp (remove only) --> "C:\Programmi\Winamp\UninstWA.exe "
WinRAR archiver --> C:\Programmi\WinRAR\uninstall.exe

-- End of Deckard's System Scanner: finished at 2007-04-06 at 14:55:06 ---------