Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unwanted pop-up


  • This topic is locked This topic is locked
15 replies to this topic

#1 Montar

Montar

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 20 December 2009 - 12:04 PM

Hello,
Since I couldn't access to SAS site or downloading definitions from program I began to scan the machine with some antivirus.
Found Conficker.B and removed.
with Online scan by Microsoft found virtool:INF/autorun.gen and 2 related entries (c:\win\sys32\autorun.i and autorun.in) that weren't removed
then MBAM found 13 entries that were successfully removed (can't remember names but probably the previous were included)
When I thought I was safe Firefox began to open ads (es.: hxxp://y.yieldmanager.com...)
Couldn't install Forefront 120 days evaluation (couldn't find access point to reggetvaluew in adivapi32.dll)

here are HJT OTL and GMER (that found rootkit anomalies) logs:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 16:49:38
Windows 5.1.2600 Service Pack 2
Running: m54b92jm.exe; Driver: c:\temp\kwpdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Programmi\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA5050B0]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xF769FD00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\iaStor \Device\Ide\iaStor0 [F760E7A4] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F760E7A4] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll (*** hidden *** ) @ C:\Programmi\Stardock\ObjectDock\ObjectDock.exe [688] 0x78130000
Library C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll (*** hidden *** ) @ C:\Programmi\Stardock\ObjectDock\ObjectDock.exe [688] 0x7C420000
Library C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll (*** hidden *** ) @ C:\Programmi\Java\jre6\bin\jqs.exe [1088] 0x78130000
Library C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1976] 0x78130000
Library C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1976] 0x7C420000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki@DisplayName ltjwdysb
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki@Description Gestisce l'accesso alle smart card lette dal computer. Se il servizio viene arrestato, il computer non sar? in grado di leggere le smart card. Se il servizio ? disabilitato, i servizi da esso dipendenti non verranno avviati.
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\qeyvyki\Parameters@ServiceDll C:\WINDOWS\system32\qzhxlqks.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Country List\505@LongDistanceRule 0FG

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.03.38, on 20/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS\system32\IoctlSvc.exe
c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\AVG\AVG9\avgwdsvc.exe
C:\Programmi\AVG\AVG9\avgnsx.exe
C:\Programmi\AVG\AVG9\avgemc.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\Programmi\AVG\AVG9\avgrsx.exe
C:\Programmi\AVG\AVG9\avgchsvx.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\Programmi\AVG\AVG9\avgtray.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\AVG\AVG9\avgui.exe
C:\Programmi\AVG\AVG9\avgscanx.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Fabio\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.elsag.it:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Programmi\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Programmi\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: TransBar.lnk = C:\Programmi\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: Y'z Shadow.lnk = C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247305945687
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247305930406
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcDcToday.ocx
O16 - DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
O16 - DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} (NCSLayeredView Class) - http://www.vincolimap.it/ecwplugins/ncs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcPreview.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe

--
End of file - 9495 bytes


OTL logfile created on: 20/12/2009 15.02.46 - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\SWSetup\Antivirus\System report
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18241)
Locale: 00000410 | Country: Italia | Language: ITA | Date Format: dd/MM/yyyy

1.015,00 Mb Total Physical Memory | 452,00 Mb Available Physical Memory | 45,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmi
Drive C: | 55,89 Gb Total Space | 30,65 Gb Free Space | 54,83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MONTARSOLO-PORT
Current User Name: Fabio
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/20 14.48.51 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\SWSetup\Antivirus\System report\OTL.exe
PRC - [2009/12/16 19.25.09 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Programmi\Mozilla Firefox\firefox.exe
PRC - [2009/08/22 11.31.06 | 05,148,672 | ---- | M] () -- C:\Programmi\Rainlendar2\Rainlendar2.exe
PRC - [2009/07/31 14.23.19 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programmi\Java\jre6\bin\jqs.exe
PRC - [2009/02/11 08.48.00 | 00,480,264 | ---- | M] (Avid Technology, Inc.) -- C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
PRC - [2008/03/18 16.27.12 | 00,013,312 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2008/02/15 20.46.46 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/02/15 20.46.18 | 00,131,072 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/02/15 20.46.06 | 00,249,856 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2007/09/15 02.27.20 | 01,015,808 | ---- | M] (Synaptics, Inc.) -- C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/07/24 10.15.14 | 00,185,632 | ---- | M] (Protexis Inc.) -- c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe
PRC - [2007/06/13 14.22.28 | 00,977,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/24 18.19.54 | 03,581,680 | ---- | M] (Stardock) -- C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
PRC - [2007/02/19 21.46.55 | 00,085,096 | ---- | M] (Autodesk) -- C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
PRC - [2007/01/05 22.36.48 | 00,872,448 | ---- | M] (Analog Devices, Inc.) -- C:\Programmi\Analog Devices\Core\smax4pnp.exe
PRC - [2006/12/19 09.30.26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\WINDOWS\system32\IoctlSvc.exe
PRC - [2006/05/21 08.43.14 | 00,155,648 | ---- | M] (Y'z@Home) -- C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe
PRC - [2006/05/02 14.41.28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2006/04/29 14.21.28 | 00,094,208 | ---- | M] (Elaborate Bytes AG) -- C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
PRC - [2006/03/02 14.39.42 | 00,131,072 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2006/02/27 16.02.06 | 00,581,693 | ---- | M] (Broadcom Corporation.) -- C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
PRC - [2006/02/27 16.00.58 | 01,265,748 | ---- | M] (Broadcom Corporation.) -- C:\Programmi\WIDCOMM\Software Bluetooth\BTStackServer.exe
PRC - [2006/02/27 15.55.44 | 00,258,103 | ---- | M] (Broadcom Corporation.) -- C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
PRC - [2002/07/18 21.59.50 | 00,046,080 | ---- | M] (C-Dilla Ltd) -- C:\WINDOWS\system32\drivers\CDANTSRV.EXE


========== Modules (SafeList) ==========

MOD - [2009/12/20 14.48.51 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\SWSetup\Antivirus\System report\OTL.exe
MOD - [2007/04/24 14.22.12 | 00,112,400 | ---- | M] () -- C:\Programmi\Stardock\ObjectDock\DockShellHook.dll
MOD - [2006/08/25 16.51.10 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2006/05/21 08.43.14 | 00,053,248 | ---- | M] () -- C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/07/31 14.23.19 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Programmi\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/06/12 10.27.58 | 00,026,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\spupdsvc.exe -- (spupdsvc)
SRV - [2008/03/18 16.27.12 | 00,013,312 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2008/02/28 17.07.48 | 00,529,704 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2008/02/18 16.29.12 | 00,877,864 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - [2007/10/19 12.21.16 | 00,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/07/24 10.15.14 | 00,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/02/19 21.46.55 | 00,085,096 | ---- | M] (Autodesk) [Auto | Running] -- C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2006/12/19 09.30.26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\IoctlSvc.exe -- (PLFlash DeviceIoControl Service)
SRV - [2006/09/29 12.48.06 | 00,065,536 | ---- | M] () [Disabled | Stopped] -- C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe -- (mi-raysat_3dsmax9_32) mental ray 3.5 Satellite (32-bit)
SRV - [2006/05/02 14.41.28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2006/02/27 15.55.44 | 00,258,103 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe -- (btwdins)
SRV - [2004/08/19 15.39.16 | 00,028,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2003/07/28 11.28.22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/07/18 21.59.50 | 00,046,080 | ---- | M] (C-Dilla Ltd) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDANTSRV.EXE -- (C-DillaSrv)


========== Driver Services (SafeList) ==========

DRV - [2009/12/16 16.27.00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Programmi\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16.26.58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Programmi\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16.26.56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Programmi\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/02/11 08.47.48 | 00,156,552 | ---- | M] (Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mausbft.sys -- (MAUSBFT)
DRV - [2008/04/28 20.22.10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/03/21 16.13.00 | 01,203,776 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/02/15 21.12.06 | 05,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/11/13 11.25.54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/31 18.23.20 | 02,236,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Driver scheda Intel®
DRV - [2007/10/12 03.00.42 | 00,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/10/12 02.55.58 | 01,279,000 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2007/10/12 02.55.58 | 00,013,848 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2007/10/11 17.59.02 | 02,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/10/01 18.27.40 | 00,281,600 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/09/15 02.09.44 | 00,213,696 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/07/13 15.26.12 | 00,094,976 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudio)
DRV - [2007/03/08 00.51.00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/07/06 12.44.10 | 00,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/05/25 15.28.18 | 00,121,216 | R--- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (AES2500)
DRV - [2006/04/22 20.59.21 | 00,024,320 | ---- | M] (Elaborate Bytes AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\VClone.sys -- (VClone)
DRV - [2006/04/22 02.44.39 | 00,008,064 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2006/04/06 14.49.00 | 00,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/03/09 09.17.16 | 00,037,768 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh)
DRV - [2006/02/27 15.48.20 | 00,401,664 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/02/27 15.45.48 | 01,342,602 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/02/27 15.43.44 | 00,030,363 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/02/27 15.43.06 | 00,057,096 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/02/27 15.40.16 | 00,148,168 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2005/10/26 09.01.02 | 00,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) Broadcom NetLink ™
DRV - [2005/10/12 11.07.12 | 00,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005/09/19 12.24.20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/09/19 12.23.52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/04/12 09.41.20 | 00,004,608 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2005/01/07 16.07.18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/19 13.00.00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 22.10.12 | 00,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2004/08/03 22.10.12 | 00,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2004/08/03 22.10.00 | 00,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2004/08/03 22.07.56 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) Driver audio USB (WDM)
DRV - [2002/07/18 21.59.50 | 00,057,968 | ---- | M] (Macrovision) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CDANT.SYS -- (C-Dilla)
DRV - [2001/09/24 11.08.20 | 00,030,088 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irstusb.sys -- (STIrUsb)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
IE - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\S-1-5-21-1409082233-1425521274-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\S-1-5-21-1409082233-1425521274-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\S-1-5-21-1409082233-1425521274-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = msproxy.elsag.it:80

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (it)"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ncr"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.2
FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.76
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: fastdial@telega.phpnet.us:2.23b1
FF - prefs.js..extensions.enabledItems: hidefindbar@jaredmcateer.com:1.3.1
FF - prefs.js..extensions.enabledItems: hidemenubar@moztw.org:1.0.20091213
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B17C1C5A-04B1-11DB-9804-B622A1EF5492}:1.2
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5
FF - prefs.js..extensions.enabledItems: {772C5315-9ECA-4aad-81E6-2A3BB86ED14E}:1.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: toggleprivatebrowsing@supernova00.biz:1.8
FF - prefs.js..extensions.enabledItems: {07b2a769-ed19-4483-87ce-c643914c81bb}:3.0.0.75

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Programmi\Mozilla Firefox\components [2009/12/20 14.04.34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Programmi\Mozilla Firefox\plugins [2009/12/20 14.04.34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0\extensions\\Components: C:\Programmi\Mozilla Thunderbird\components [2009/12/15 21.34.05 | 00,000,000 | ---D | M]

[2009/12/15 21.34.15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Extensions
[2009/12/15 21.34.15 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/12/20 14.49.54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions
[2009/11/01 10.17.28 | 00,000,000 | ---D | M] (Vista-aero) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
[2009/11/02 11.27.32 | 00,000,000 | ---D | M] (Sanitisminau) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\{772C5315-9ECA-4aad-81E6-2A3BB86ED14E}
[2009/08/04 20.41.56 | 00,000,000 | ---D | M] (Password Exporter) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
[2009/12/12 14.05.06 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/10/12 21.37.44 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2009/11/15 19.29.45 | 00,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/12/19 17.09.40 | 00,000,000 | ---D | M] (CustomizeGoogle) -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2009/07/25 23.23.42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\fastdial@telega.phpnet.us
[2009/07/08 20.58.05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\hidefindbar@jaredmcateer.com
[2009/12/15 19.31.43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\hidemenubar@moztw.org
[2009/12/17 20.46.40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\personas@christopher.beard
[2009/11/02 11.27.32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\extensions\toggleprivatebrowsing@supernova00.biz
[2009/11/02 11.48.25 | 00,001,907 | ---- | M] () -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\searchplugins\flickr-tags.xml
[2009/08/12 21.27.52 | 00,001,512 | ---- | M] () -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\searchplugins\imdb.xml
[2008/10/16 11.30.22 | 00,001,620 | ---- | M] () -- C:\Documents and Settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\searchplugins\mozilla-add-ons.xml
[2009/12/20 14.13.19 | 00,000,000 | ---D | M] -- C:\Programmi\Mozilla Firefox\extensions
[2009/09/12 16.43.00 | 00,072,960 | ---- | M] (Foxit Software Company) -- C:\Programmi\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2009/08/24 20.02.19 | 00,001,412 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\demauro.xml
[2009/08/24 20.02.19 | 00,000,744 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\eBay-it.xml
[2009/08/24 20.02.19 | 00,001,182 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\wikipedia-it.xml
[2009/08/24 20.02.19 | 00,000,649 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\yahoo-it.xml

O1 HOSTS File: (768 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\M-AudioTaskBarIcon.exe (Avid Technology, Inc.)
O4 - HKLM..\Run: [NBKeyScan] C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QlbCtrl] C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Programmi\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKU\S-1-5-21-1409082233-1425521274-839522115-1003..\Run: [Rainlendar2] C:\Programmi\Rainlendar2\Rainlendar2.exe ()
O4 - HKU\.DEFAULT..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 File not found
O4 - HKU\S-1-5-18..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 File not found
O4 - Startup: C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\BTTray.lnk = C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Fabio\Menu Avvio\Programmi\Esecuzione automatica\Stardock ObjectDock.lnk = C:\Programmi\Stardock\ObjectDock\ObjectDock.exe (Stardock)
O4 - Startup: C:\Documents and Settings\Fabio\Menu Avvio\Programmi\Esecuzione automatica\TransBar.lnk = C:\Programmi\Vista Inspirat 2\TransBar\TransBar.exe (AKSoftware)
O4 - Startup: C:\Documents and Settings\Fabio\Menu Avvio\Programmi\Esecuzione automatica\Y'z Shadow.lnk = C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe (Y'z@Home)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\..Trusted Domains: microsoft.com ([windowsupdate] http in Trusted sites)
O15 - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx (InstaFred)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1247305945687 (WUWebControl Class)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (HpProductDetection Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1247305930406 (MUWebControl Class)
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Programmi/AutoCAD%202002%20Ita/AcDcToday.ocx (Controllo AcDc oggi)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx (NOXLATE-BANR)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} http://www.vincolimap.it/ecwplugins/ncs.cab (NCSLayeredView Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Programmi/AutoCAD%202002%20Ita/AcPreview.ocx (Controllo AcPreview)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programmi\File comuni\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programmi\File comuni\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programmi\File comuni\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Pagina iniziale corrente) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programmi\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2007/02/26 20.28.34 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{bb3a490e-144d-11dc-80f1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{c5be0118-6937-11de-838c-9508776aca22}\Shell - "" = AutoRun
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/20 14.59.02 | 00,000,000 | ---D | C] -- C:\Programmi\HJT
[2009/12/20 13.42.11 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/12/19 20.09.38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fabio\Dati applicazioni\Malwarebytes
[2009/12/19 20.09.34 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/19 20.09.33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
[2009/12/19 20.09.32 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/19 20.09.32 | 00,000,000 | ---D | C] -- C:\Programmi\Malwarebytes
[2009/12/19 19.46.12 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/12/19 19.11.02 | 00,000,000 | ---D | C] -- C:\Programmi\Windows Live Safety Center
[2009/12/19 17.05.39 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/12/18 20.36.52 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/18 16.58.18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
[2009/12/18 16.58.00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com
[2009/12/18 16.58.00 | 00,000,000 | ---D | C] -- C:\Programmi\SUPERAntiSpyware
[2009/12/18 16.57.38 | 00,000,000 | ---D | C] -- C:\Programmi\File comuni\Wise Installation Wizard
[2009/12/09 21.36.33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\File Renamer Basic
[2009/12/09 21.29.48 | 00,000,000 | ---D | C] -- C:\Programmi\Xenocode
[2009/12/09 21.29.48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\Xenocode
[2009/12/09 21.29.17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fabio\Dati applicazioni\Kristanix Software
[2009/12/04 12.07.26 | 00,000,000 | ---D | C] -- C:\Programmi\Widget vodafone.it
[2009/12/01 21.08.35 | 02,532,344 | ---- | C] (M-Audio, a division of Avid Technology, Inc.) -- C:\WINDOWS\System32\madiousb.dll
[2009/12/01 21.08.35 | 00,156,552 | ---- | C] (Avid Technology, Inc.) -- C:\WINDOWS\System32\drivers\mausbft.sys
[2009/12/01 21.08.35 | 00,000,000 | ---D | C] -- C:\Programmi\Common Files
[2009/12/01 21.08.34 | 00,533,000 | ---- | C] (M-Audio, a division of Avid Technology, Inc.) -- C:\WINDOWS\System32\M-AudioFastTrackControlPanelApplet.cpl
[2009/12/01 21.08.34 | 00,480,264 | ---- | C] (Avid Technology, Inc.) -- C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
[2009/12/01 21.08.33 | 00,032,776 | ---- | C] (M-Audio, a division of Avid Technology, Inc.) -- C:\WINDOWS\System32\mausbasio.dll
[2009/11/29 22.31.24 | 00,000,000 | ---D | C] -- C:\Programmi\JDownloader_portable
[2009/11/22 00.10.17 | 00,093,360 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2008/11/05 11.31.38 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Dati applicazioni\Microsoft
[2008/08/14 11.17.39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft
[2007/11/24 11.04.14 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Dati applicazioni\Microsoft
[2007/11/24 11.04.14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/20 14.59.15 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Fabio\Desktop\HiJackThis.lnk
[2009/12/20 14.32.43 | 00,220,454 | ---- | M] () -- C:\Documents and Settings\Fabio\Desktop\unlocker1.8.8.exe
[2009/12/20 14.06.43 | 00,000,214 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/12/20 14.04.39 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/20 14.03.40 | 01,064,476 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/20 14.03.40 | 00,492,552 | ---- | M] () -- C:\WINDOWS\System32\perfh010.dat
[2009/12/20 14.03.40 | 00,444,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/20 14.03.40 | 00,085,198 | ---- | M] () -- C:\WINDOWS\System32\perfc010.dat
[2009/12/20 14.03.40 | 00,072,238 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/20 14.01.32 | 00,000,414 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{91389114-CD5E-4164-AD30-8C26582200E2}.job
[2009/12/20 13.13.49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/20 13.13.48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/19 22.49.38 | 14,417,920 | ---- | M] () -- C:\Documents and Settings\Fabio\ntuser.dat
[2009/12/19 22.49.33 | 00,000,306 | -HS- | M] () -- C:\Documents and Settings\Fabio\ntuser.ini
[2009/12/19 20.39.07 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/18 16.42.17 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/13 17.40.00 | 00,180,736 | ---- | M] () -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/12 12.33.45 | 00,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documenti\khw
[2009/12/12 12.28.44 | 00,000,000 | RHS- | M] () -- C:\khw
[2009/12/12 12.28.43 | 00,000,633 | RHS- | M] () -- C:\WINDOWS\System32\autorun.i
[2009/12/12 12.28.43 | 00,000,412 | RHS- | M] () -- C:\WINDOWS\System32\autorun.in
[2009/12/09 21.36.27 | 00,112,290 | ---- | M] () -- C:\WINDOWS\File Renamer - Basic Uninstaller.exe
[2009/12/09 21.30.04 | 00,000,002 | ---- | M] () -- C:\WINDOWS\System32\krx260.dat
[2009/12/03 16.14.06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16.13.56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 21.23.19 | 00,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documenti\khv
[2009/12/02 21.05.32 | 00,000,000 | RHS- | M] () -- C:\khv
[2009/11/22 00.10.14 | 00,093,360 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/20 14.59.02 | 00,002,483 | ---- | C] () -- C:\Documents and Settings\Fabio\Desktop\HiJackThis.lnk
[2009/12/20 14.32.43 | 00,220,454 | ---- | C] () -- C:\Documents and Settings\Fabio\Desktop\unlocker1.8.8.exe
[2009/12/20 14.06.43 | 00,000,214 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/12/19 17.33.45 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/12 12.33.45 | 00,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documenti\khw
[2009/12/12 12.28.44 | 00,000,000 | RHS- | C] () -- C:\khw
[2009/12/09 21.30.04 | 00,000,002 | ---- | C] () -- C:\WINDOWS\System32\krx260.dat
[2009/12/02 21.23.19 | 00,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documenti\khv
[2009/12/02 21.05.32 | 00,000,000 | RHS- | C] () -- C:\khv
[2009/12/02 21.03.40 | 00,000,633 | RHS- | C] () -- C:\WINDOWS\System32\autorun.i
[2009/12/02 21.03.40 | 00,000,412 | RHS- | C] () -- C:\WINDOWS\System32\autorun.in
[2009/09/24 15.40.31 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/07/24 20.06.25 | 00,059,500 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/10/11 19.15.49 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/10/11 19.15.49 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/10/11 19.15.49 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/10/11 19.15.49 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/10/11 19.15.49 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/10/11 19.15.49 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/10/11 08.44.27 | 00,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\KGyGaAvL.sys
[2008/10/11 08.44.27 | 00,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\6FE0FF607C.sys
[2008/06/06 20.56.24 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/02/15 21.21.56 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2007/12/09 18.23.01 | 00,663,552 | ---- | C] () -- C:\WINDOWS\System32\FreeImage.dll
[2007/10/31 16.17.30 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\realbap1.dll
[2007/10/31 16.17.30 | 00,045,568 | ---- | C] () -- C:\WINDOWS\System32\realbsf1.dll
[2007/10/16 13.06.33 | 00,000,160 | ---- | C] () -- C:\WINDOWS\render.ini
[2007/10/09 06.55.01 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/10/09 06.55.01 | 00,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2007/10/06 09.35.35 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\FnF4.txt
[2007/07/22 13.35.46 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/06/19 21.03.23 | 00,180,736 | ---- | C] () -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/06 23.08.36 | 00,000,134 | ---- | C] () -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\fusioncache.dat
[2007/06/06 17.31.18 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/06 17.18.24 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\QSwitch.txt
[2007/06/06 17.18.24 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\DSwitch.txt
[2007/06/06 17.18.24 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\AtStart.txt
[2007/06/06 17.08.31 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2007/06/06 16.58.27 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2007/04/08 07.57.06 | 00,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2007/03/13 20.33.35 | 00,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2006/02/27 15.51.36 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2003/01/07 14.05.08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/15 21.29.04 | 00,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2002/03/19 07.18.54 | 00,120,832 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2001/11/23 16.18.00 | 00,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 11.56.00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1998/05/08 00.10.00 | 00,069,632 | R--- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Dati applicazioni\TEMP:E965A533
< End of report >

Please help!!! I'm so frustrated...

Edited by Orange Blossom, 20 December 2009 - 04:13 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 21 December 2009 - 11:18 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




Please download TDSSKiller.zip and unzip it to your Desktop

Go to Start >> Run >> copy/paste below >> Enter

"%userprofile%\Desktop\tdsskiller\TDSSKiller.exe" -l report.txt -v

A black command screen will pop-up.. Just wait till the scan finishes and press any button when asked..

Then go find the report.txt inside the tdsskiller folder on your Desktop.. Post the contents of report.txt here on your next reply..




lease make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 21 December 2009 - 04:20 PM

Ok... first of all... so many thanks for your time.
I ran the comedian everything worked fine untill last step: I think a minor issue.
A system window popped up saying something like (translating): impossible to find script interpreter for vbscript ...desktop/rp.vbs
that was a script temporarily creted to my desktop, (you already know) I think that has caused thecomedian not to create a restore point.
clicked OK in the alert window
After that thecomedian said it has done its job (like if it was completey done)...

Ten I STOPPED! as you said, and I refer to jedi master!!
thecomedian deleted
ps. I've left Erunt installed

padawan Montar

no couldn't resist....
I creted restore point manually and then
I launched tdsskiller from start command line and found a malware!! I completed restarting the machine...
too bad I didn't find any report in the folder!!! but a second launch confirmed malware removed!!
here's the second clean report (from dos shell):

TDSS rootkit removing tool, Kaspersky Lab 2009
version 2.1.1 Dec 20 2009 02:40:02
Start log failed

Scanning Registry ...

Scanning Kernel memory ...

Completed

Results:
Infected objects in memory: 0
Cured objects in memory: 0
Infected objects on disk: 0
Objects on disk cured on reboot: 0
Objects on disk deleted on reboot: 0
Registry nodes deleted on reboot: 0

Premere un tasto per continuare . . .


so now??? should I go on with Combofix??
For now: SO many many thanks... restoring firewall now...

----------------update--------------------------------

found the TDSS log on the root!!!!!!!!!!!!!!!!!!
I think it's the second log that has overwritten the first
now that I read seem to remember something about IASTOR in the first summary too...

22:39:46:750 0516 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
22:39:46:750 0516 ================================================================================
22:39:46:750 0516 SystemInfo:

22:39:46:750 0516 OS Version: 5.1.2600 ServicePack: 2.0
22:39:46:750 0516 Product type: Workstation
22:39:46:750 0516 ComputerName: MONTARSOLO-PORT
22:39:46:750 0516 UserName: Fabio
22:39:46:750 0516 Windows directory: C:\WINDOWS
22:39:46:750 0516 Processor architecture: Intel x86
22:39:46:750 0516 Number of processors: 2
22:39:46:750 0516 Page size: 0x1000
22:39:46:750 0516 Boot type: Normal boot
22:39:46:750 0516 ================================================================================
22:39:46:750 0516 ForceUnloadDriver: NtUnloadDriver error 2
22:39:46:750 0516 ForceUnloadDriver: NtUnloadDriver error 2
22:39:46:765 0516 ForceUnloadDriver: NtUnloadDriver error 2
22:39:46:765 0516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
22:39:46:765 0516 main: Driver KLMD successfully dropped
22:39:46:765 0516 main: Driver KLMD successfully loaded
22:39:46:765 0516
Scanning Registry ...
22:39:46:796 0516 ScanServices: Searching service UACd.sys
22:39:46:796 0516 ScanServices: Open/Create key error 2
22:39:46:796 0516 ScanServices: Searching service TDSSserv.sys
22:39:46:796 0516 ScanServices: Open/Create key error 2
22:39:46:796 0516 ScanServices: Searching service gaopdxserv.sys
22:39:46:796 0516 ScanServices: Open/Create key error 2
22:39:46:796 0516 ScanServices: Searching service gxvxcserv.sys
22:39:46:796 0516 ScanServices: Open/Create key error 2
22:39:46:796 0516 ScanServices: Searching service MSIVXserv.sys
22:39:46:796 0516 ScanServices: Open/Create key error 2
22:39:46:796 0516 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
22:39:46:796 0516 UnhookRegistry: Kernel local addr: A40000
22:39:46:796 0516 UnhookRegistry: KeServiceDescriptorTable addr: ACA500
22:39:46:796 0516 UnhookRegistry: KiServiceTable addr: A4D8B0
22:39:46:796 0516 UnhookRegistry: NtEnumerateKey service number (local): 47
22:39:46:796 0516 UnhookRegistry: NtEnumerateKey local addr: AE13A4
22:39:46:796 0516 KLMD_OpenDevice: Trying to open KLMD device
22:39:46:796 0516 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
22:39:46:796 0516 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
22:39:46:796 0516 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]
22:39:46:796 0516 UnhookRegistry: NtEnumerateKey service number (kernel): 47
22:39:46:796 0516 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]
22:39:46:796 0516 UnhookRegistry: NtEnumerateKey real addr: 805783A4
22:39:46:796 0516 UnhookRegistry: NtEnumerateKey calc addr: 805783A4
22:39:46:796 0516 UnhookRegistry: No SDT hooks found on NtEnumerateKey
22:39:46:796 0516 KLMD_ReadMem: Trying to ReadMemory 0x805783A4[0xA]
22:39:46:796 0516 UnhookRegistry: No splicing found on NtEnumerateKey
22:39:46:812 0516
Scanning Kernel memory ...
22:39:46:812 0516 KLMD_OpenDevice: Trying to open KLMD device
22:39:46:812 0516 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
22:39:46:812 0516 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
22:39:46:812 0516 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86EE5358
22:39:46:812 0516 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
22:39:46:812 0516 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86EE6430
22:39:46:812 0516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86EE6430
22:39:46:812 0516 KLMD_ReadMem: Trying to ReadMemory 0x86EE6430[0x38]
22:39:46:812 0516 DetectCureTDL3: DRIVER_OBJECT addr: 86EE5358
22:39:46:812 0516 KLMD_ReadMem: Trying to ReadMemory 0x86EE5358[0xA8]
22:39:46:812 0516 KLMD_ReadMem: Trying to ReadMemory 0xE16BB8D8[0x208]
22:39:46:812 0516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:39:46:812 0516 DetectCureTDL3: IrpHandler (0) addr: F77FCC30
22:39:46:812 0516 DetectCureTDL3: IrpHandler (1) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (2) addr: F77FCC30
22:39:46:812 0516 DetectCureTDL3: IrpHandler (3) addr: F77F6D9B
22:39:46:812 0516 DetectCureTDL3: IrpHandler (4) addr: F77F6D9B
22:39:46:812 0516 DetectCureTDL3: IrpHandler (5) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (6) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (7) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (8) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (9) addr: F77F7366
22:39:46:812 0516 DetectCureTDL3: IrpHandler (10) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (11) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (12) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (13) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (14) addr: F77F744D
22:39:46:812 0516 DetectCureTDL3: IrpHandler (15) addr: F77FAFC3
22:39:46:812 0516 DetectCureTDL3: IrpHandler (16) addr: F77F7366
22:39:46:812 0516 DetectCureTDL3: IrpHandler (17) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (18) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (19) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (20) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (21) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (22) addr: F77F8EF3
22:39:46:812 0516 DetectCureTDL3: IrpHandler (23) addr: F77FDA24
22:39:46:812 0516 DetectCureTDL3: IrpHandler (24) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (25) addr: 804F9709
22:39:46:812 0516 DetectCureTDL3: IrpHandler (26) addr: 804F9709
22:39:46:812 0516 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
22:39:46:812 0516 KLMD_ReadMem: DeviceIoControl error 1
22:39:46:812 0516 TDL3_StartIoHookDetect: Unable to get StartIo handler code
22:39:46:812 0516 TDL3_FileDetect: Processing driver: Disk
22:39:46:812 0516 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
22:39:46:812 0516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
22:39:46:812 0516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
22:39:46:843 0516 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86F5DAB8
22:39:46:843 0516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F5DAB8
22:39:46:843 0516 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86EEA2C0
22:39:46:859 0516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86EEA2C0
22:39:46:859 0516 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86F24030
22:39:46:859 0516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F24030
22:39:46:859 0516 KLMD_ReadMem: Trying to ReadMemory 0x86F24030[0x38]
22:39:46:859 0516 DetectCureTDL3: DRIVER_OBJECT addr: 86FE06E8
22:39:46:859 0516 KLMD_ReadMem: Trying to ReadMemory 0x86FE06E8[0xA8]
22:39:46:859 0516 KLMD_ReadMem: Trying to ReadMemory 0xE169C850[0x208]
22:39:46:859 0516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
22:39:46:859 0516 DetectCureTDL3: IrpHandler (0) addr: F75DC186
22:39:46:859 0516 DetectCureTDL3: IrpHandler (1) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (2) addr: F75DC186
22:39:46:859 0516 DetectCureTDL3: IrpHandler (3) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (4) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (5) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (6) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (7) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (8) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (9) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (10) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (11) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (12) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (13) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (14) addr: F75DF896
22:39:46:859 0516 DetectCureTDL3: IrpHandler (15) addr: F75DFB58
22:39:46:859 0516 DetectCureTDL3: IrpHandler (16) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (17) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (18) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (19) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (20) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (21) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (22) addr: F75E4E66
22:39:46:859 0516 DetectCureTDL3: IrpHandler (23) addr: F75E4FC6
22:39:46:859 0516 DetectCureTDL3: IrpHandler (24) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (25) addr: 804F9709
22:39:46:859 0516 DetectCureTDL3: IrpHandler (26) addr: 804F9709
22:39:46:859 0516 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
22:39:46:859 0516 KLMD_ReadMem: DeviceIoControl error 1
22:39:46:859 0516 TDL3_StartIoHookDetect: Unable to get StartIo handler code
22:39:46:859 0516 TDL3_FileDetect: Processing driver: iaStor
22:39:46:859 0516 TDL3_FileDetect: Similar paths for origin and cured (C:\WINDOWS\system32\drivers\iastor.tsk)! Generate new path
22:39:46:859 0516 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\iastor.tsk, C:\WINDOWS\system32\Drivers\iastor.ts0, SYSTEM\CurrentControlSet\Services\iaStor, system32\Drivers\iastor.ts0
22:39:46:859 0516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iastor.tsk
22:39:46:859 0516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iastor.tsk
22:39:46:906 0516
Completed

Results:
22:39:46:906 0516 Infected objects in memory: 0
22:39:46:906 0516 Cured objects in memory: 0
22:39:46:906 0516 Infected objects on disk: 0
22:39:46:906 0516 Objects on disk cured on reboot: 0
22:39:46:906 0516 Objects on disk deleted on reboot: 0
22:39:46:906 0516 Registry nodes deleted on reboot: 0
22:39:46:906 0516

Edited by Montar, 21 December 2009 - 05:54 PM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 22 December 2009 - 07:04 AM

Yes, please proceed with ComboFix ;)

Edited by fenzodahl512, 22 December 2009 - 07:05 AM.
edit instruction

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 23 December 2009 - 03:51 AM

first of all I want to post the AVG resident shield log (might be interesting):

-"Virus rilevato Worm/AutoRun";"C:\System Volume Information\_restore{066248BF-E35F-4CF9-8FEB-3CF7BFB06A6E}\RP7\A0002139.inf";"Spostato in Quarantena virus";"22/12/2009, 22.49.48";"file";"C:\WINDOWS\system32\svchost.exe"
-"Virus rilevato Worm/AutoRun";"C:\System Volume Information\_restore{066248BF-E35F-4CF9-8FEB-3CF7BFB06A6E}\RP7\A0002139.inf";"Spostato in Quarantena virus";"22/12/2009, 22.10.42";"file";"C:\WINDOWS\system32\svchost.exe"
-"Virus rilevato Worm/AutoRun";"C:\WINDOWS\system32\autorun.inf";"Spostato in Quarantena virus";"20/12/2009, 22.16.03";"file";"C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe"


I've run conbofix:
-I've quitted win firewall and AVG9 link scanner,resident shield,email scanner
(couldn't find how to stop other services in the AVG FAQ)
-prompted for an updated combofix version but skipped
-recovery console installed by combofix

here's the log:

ComboFix 09-12-20.08 - Fabio 23/12/2009 9.17.41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1015.555 [GMT 1:00]
Eseguito da: c:\documents and settings\Fabio\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Creati Da 2009-11-23 al 2009-12-23 )))))))))))))))))))))))))))))))))))
.

2009-12-22 10:40 . 2009-12-20 16:21 3776280 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\setup.exe
2009-12-22 10:40 . 2009-12-20 16:21 4043032 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgui.exe
2009-12-22 10:40 . 2009-12-20 16:21 916248 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcfgx.dll
2009-12-22 10:40 . 2009-12-20 16:21 3967256 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcorex.dll
2009-12-21 22:26 . 2009-12-21 22:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-21 22:25 . 2009-12-21 22:25 -------- d-sh--w- c:\documents and settings\Fabio\IETldCache
2009-12-21 22:23 . 2009-12-21 22:23 -------- d-----w- c:\windows\ie8updates
2009-12-21 22:21 . 2009-12-21 22:21 -------- dc-h--w- c:\windows\ie8
2009-12-21 22:17 . 2009-10-29 07:40 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 22:17 . 2009-10-29 07:40 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 22:16 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-21 22:07 . 2009-12-21 22:07 -------- d-----w- c:\windows\ServicePackFiles
2009-12-21 22:02 . 2004-08-19 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-21 21:57 . 2009-12-23 08:21 -------- d-----w- c:\temp\NDP1.1sp1-KB953297-X86
2009-12-21 20:58 . 2009-12-21 20:58 -------- d-----w- c:\programmi\ERUNT
2009-12-20 20:59 . 2009-12-20 21:04 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-12-20 20:59 . 2009-12-20 21:02 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-12-20 17:22 . 2009-12-20 17:22 294656 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avglngx.dll
2009-12-20 17:22 . 2009-12-20 16:21 2352920 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgresf.dll
2009-12-20 17:09 . 2009-12-20 21:06 -------- d-----w- c:\temp\E1.tmp
2009-12-20 17:09 . 2009-12-20 21:06 -------- d-----w- c:\temp\E0.tmp
2009-12-20 16:22 . 2009-12-20 16:22 -------- d-----w- C:\$AVG
2009-12-20 16:21 . 2009-12-20 16:21 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-20 16:21 . 2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-20 16:21 . 2009-12-20 16:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-20 16:21 . 2009-12-20 16:21 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-20 16:21 . 2009-12-23 08:05 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\programmi\AVG
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2009-12-20 16:17 . 2009-12-20 21:06 -------- d-----w- c:\temp\7zSF.tmp
2009-12-20 16:16 . 2009-12-20 21:06 -------- d-----w- c:\temp\E.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\D.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\C.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\B.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\A.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\9.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\8.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\7.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\6.tmp
2009-12-20 16:14 . 2009-12-20 21:06 -------- d-----w- c:\temp\5.tmp
2009-12-20 14:09 . 2009-12-20 21:06 -------- d-----w- c:\temp\1AE.tmp
2009-12-20 13:59 . 2009-12-20 13:59 388096 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-20 13:59 . 2009-12-20 13:59 -------- d-----w- c:\programmi\HJT
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-19 20:04 -------- d-----w- c:\programmi\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 18:46 . 2009-12-19 18:46 -------- d-----w- c:\temp\MPTelemetrySubmit
2009-12-19 18:46 . 2009-11-02 19:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 18:28 . 2009-12-20 21:06 -------- d-----w- c:\temp\MPSampleSubmit
2009-12-19 18:11 . 2009-12-20 17:17 -------- d-----w- c:\programmi\Windows Live Safety Center
2009-12-19 17:36 . 2009-12-23 08:21 -------- d-----w- c:\temp\defs
2009-12-19 16:33 . 2009-12-19 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 16:07 . 2009-12-20 12:54 52224 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-18 15:58 . 2009-12-19 16:07 117760 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:58 . 2009-12-19 15:51 -------- d-----w- c:\programmi\SUPERAntiSpyware
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:57 . 2009-12-18 15:57 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-12-15 18:58 . 2008-09-17 19:39 139264 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird\Profiles\m5jhglnr.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2009-12-09 20:36 . 2009-12-09 20:36 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\File Renamer Basic
2009-12-09 20:30 . 2009-12-09 20:30 2 ----a-w- c:\windows\system32\krx260.dat
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\programmi\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Kristanix Software
2009-12-08 19:56 . 2009-12-08 20:03 -------- d-----w- c:\temp\plugtmp-3
2009-12-04 11:07 . 2009-12-04 11:07 -------- d-----w- c:\programmi\Widget vodafone.it
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\programmi\Common Files
2009-12-01 20:08 . 2009-02-11 07:47 2532344 ----a-w- c:\windows\system32\madiousb.dll
2009-12-01 20:08 . 2009-02-11 07:47 156552 ----a-w- c:\windows\system32\drivers\mausbft.sys
2009-12-01 20:08 . 2009-02-11 07:48 480264 ------w- c:\windows\system32\M-AudioTaskBarIcon.exe
2009-12-01 20:08 . 2009-02-11 07:47 32776 ----a-w- c:\windows\system32\mausbasio.dll
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{CC5A9A43-5BAB-4557-9CCD-206F0B5349BA}
2009-12-01 20:08 . 2009-12-20 21:06 -------- d-----w- c:\temp\{E31BAE7E-583A-4F4D-8B09-BDDBC46CD0E4}
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{BB7A7CC0-A40F-408C-BB4C-0D306A8046F0}
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{A80D64AC-CD11-48A9-B693-7515147BB98D}
2009-12-01 20:07 . 2009-12-20 21:06 -------- d-----w- c:\temp\{AA074FFE-2ACE-4D76-9893-D4792916E094}
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\temp\{79F6A335-58C1-4502-8DD4-5B9DC2105892}
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\temp\{297D98C7-FF95-4604-A583-49B4FEA7AEBC}
2009-11-29 21:31 . 2009-11-29 21:32 -------- d-----w- c:\programmi\JDownloader_portable
2009-11-29 21:31 . 2009-11-29 21:31 -------- d--h--w- c:\temp\Directory temporanea 1 per JDownloader_portable.zip
2009-11-28 11:49 . 2009-11-28 13:05 -------- d-----w- c:\temp\plugtmp-2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 08:31 . 2009-07-08 20:12 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-12-21 22:38 . 2004-08-19 12:00 85198 ----a-w- c:\windows\system32\perfc010.dat
2009-12-21 22:38 . 2004-08-19 12:00 492552 ----a-w- c:\windows\system32\perfh010.dat
2009-12-21 21:34 . 2005-10-19 13:35 874240 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-12-21 21:30 . 2009-12-21 21:30 874240 ----a-w- c:\windows\system32\drivers\iastor.tsk
2009-12-21 21:30 . 2009-05-03 20:04 -------- d-----w- c:\programmi\PowerArchiver
2009-12-20 20:51 . 2007-06-06 17:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Skype
2009-12-20 18:08 . 2008-04-24 09:23 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-12-20 17:30 . 2009-07-07 19:59 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\skypePM
2009-12-20 15:57 . 2007-06-06 17:50 150120 ----a-w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-20 13:35 . 2009-10-17 19:13 -------- d-----w- c:\programmi\Unlocker
2009-12-20 12:18 . 2007-06-06 18:02 -------- d-----w- c:\programmi\FastStone Image Viewer
2009-12-19 15:57 . 2009-07-07 19:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\uTorrent
2009-12-19 14:47 . 2008-11-18 20:34 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\foobar2000
2009-12-18 19:36 . 2007-02-26 19:28 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-12-18 17:23 . 2009-07-07 19:16 -------- d-----w- c:\programmi\uTorrent
2009-12-15 21:08 . 2007-11-02 18:01 -------- d-----w- c:\programmi\GGL
2009-12-15 20:34 . 2009-07-08 20:22 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird
2009-12-12 20:52 . 2009-09-30 18:53 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\vlc
2009-12-10 19:26 . 2009-07-25 12:38 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2009-12-10 19:26 . 2009-09-01 14:58 38784 ----a-w- c:\documents and settings\Default User\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-10 19:26 . 2009-07-25 12:38 38784 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 112290 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 -------- d-----w- c:\programmi\File Renamer
2009-12-04 11:05 . 2009-09-01 15:10 -------- d-----w- c:\programmi\Widget Vodafone
2009-12-01 20:08 . 2007-06-06 16:08 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-12-01 20:08 . 2007-10-08 18:49 -------- d-----w- c:\programmi\M-Audio
2009-11-21 23:10 . 2009-11-21 23:10 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-15 18:25 . 2009-11-08 14:17 -------- d-----w- c:\programmi\Telltale Games
2009-11-14 18:03 . 2009-11-14 18:03 -------- d-----w- c:\programmi\Real Alternative
2009-11-06 20:09 . 2009-11-06 20:03 -------- d-----w- c:\programmi\Debugging Tools for Windows (x86)
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-10-29 07:40 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 21:21 . 2009-10-28 21:21 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\GuitarScalesV2.0B5C8B79A3CD562BA8F498C43C64CF1A50D3A5C9.1
2009-10-28 21:10 . 2009-10-28 21:10 -------- d-----w- c:\programmi\GuitarScalesV2
2009-10-21 06:00 . 2004-08-19 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-19 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 18:29 . 2009-10-20 18:29 152576 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 14:58 . 2008-08-14 09:55 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 18:55 . 2007-04-13 14:40 10 ----a-w- c:\windows\popcinfo.dat
2009-10-13 10:51 . 2004-08-19 12:00 267776 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:51 . 2004-08-19 12:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:51 . 2004-08-19 12:00 112640 ----a-w- c:\windows\system32\rastls.dll
2009-10-02 18:32 . 2009-10-02 18:32 3638 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_575918af.exe
2009-10-02 18:32 . 2009-10-02 18:32 1078 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_57566eb2.exe
2009-10-02 18:32 . 2009-10-02 18:32 10134 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_1d527b86.exe
.

------- Sigcheck -------

[-] 2008-04-14 . 70D7F99D95615C3C278367756287DB71 . 1036288 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\explorer.exe
[-] 2007-06-13 . A740C454AB68580AB44E6B46E3A5321F . 977920 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . A740C454AB68580AB44E6B46E3A5321F . 977920 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2007-06-13 . B4E85805BE6D23DE697F7B3BA7492D0B . 1035776 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-19 . 6CB6D8BCB81D927BCCF8E2905EB8F274 . 976896 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\programmi\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"QlbCtrl"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"VirtualCloneDrive"="c:\programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SynTPStart"="c:\programmi\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-20 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\programmi\File comuni\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\Fabio\Menu Avvio\Programmi\Esecuzione automatica\
ERUNT AutoBackup.lnk - c:\programmi\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Stardock ObjectDock.lnk - c:\programmi\Stardock\ObjectDock\ObjectDock.exe [2009-7-25 3581680]
TransBar.lnk - c:\programmi\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
Y'z Shadow.lnk - c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-5-21 155648]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-2-27 581693]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Autodesk\\Chaos Group\\V-Ray\\vrlserver.exe"=
"c:\\Programmi\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\manager.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\server.exe"=
"c:\\Programmi\\uTorrent\\utorrent.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\JDownloader_portable\\CommonFiles\\Java\\bin\\javaw.exe"=
"c:\\Programmi\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Programmi\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:192.168.0.100/255.255.255.255:Enabled:@xpsp2res.dll,-22004
"9783:TCP"= 9783:TCP:*:Disabled:hocnus

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/12/2009 17.21.51 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/12/2009 17.21.58 360584]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16.26.58 9968]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16.26.56 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\programmi\AVG\AVG9\avgemc.exe [20/12/2009 17.21.20 906520]
R2 avg9wd;AVG Free WatchDog;c:\programmi\AVG\AVG9\avgwdsvc.exe [20/12/2009 17.21.13 285392]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [06/06/2007 17.08.28 88192]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 cpwnt;cpwnt; [x]
S2 qeyvyki;ltjwdysb;c:\windows\system32\svchost.exe -k netsvcs [19/08/2004 13.00.00 14336]
S3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [01/12/2009 21.08.35 156552]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16.27.00 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qeyvyki
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = msproxy.elsag.it:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
Trusted Zone: microsoft.com\windowsupdate
DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} - hxxp://www.vincolimap.it/ecwplugins/ncs.cab
FF - ProfilePath - c:\documents and settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (it)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - component: c:\programmi\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Notify-dimsntfy - (no file)
AddRemove-V-Ray for 3dsmax R9 for x86 - c:\programmi\Autodesk\Chaos Group\V-Ray\uninstall\wininstaller.exe-uninstall=c:\programmi\Autodesk\Chaos Group\V-Ray\uninstall\install.log



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 09:25
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"="system32\Drivers\iastor.tsk"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1425521274-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,6f,a9,9b,20,e2,ea,3a,3f,f8,b0,31,26,d1,d7,ee,07,6a,9f,3f,61,
b2,b1,26,81,97,33,17,da,23,62,ad,76,22,de,a8,8a,e6,54,23,9f,0b,73,27,9d,6c,\
"rkeysecu"=hex:8c,6f,42,83,04,60,9e,22,4d,56,8b,2c,fd,1b,ff,cc
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\programmi\Stardock\ObjectDock\DockShellHook.dll
c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\AVG\AVG9\avgchsvx.exe
c:\programmi\AVG\AVG9\avgrsx.exe
c:\programmi\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\windows\system32\DRIVERS\CDANTSRV.EXE
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\programmi\File comuni\Protexis\License Service\PsiService_2.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\AVG\AVG9\avgnsx.exe
c:\progra~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
c:\programmi\Hewlett-Packard\Shared\hpqwmiex.exe
c:\programmi\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Ora fine scansione: 2009-12-23 09:30:26 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2009-12-23 08:30

Pre-Run: 29.352.329.216 byte disponibili
Post-Run: 29.383.249.920 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 64C2EB0E249907DAC79084EA4C9836BE

-A little initiave now:-

system look up log for iastor.sys and iastor.tsk

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:28 on 23/12/2009 by Fabio (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\WINDOWS\system32\drivers\iastor.sys --a--- 874240 bytes [13:35 19/10/2005] [21:34 21/12/2009] D0293D506EF5C41FFDAAAE350824286C

Searching for "iastor.tsk"
C:\WINDOWS\system32\drivers\iastor.tsk --a--- 874240 bytes [21:30 21/12/2009] [21:30 21/12/2009] D0293D506EF5C41FFDAAAE350824286C

-=End Of File=-

upload both file to http://www.virustotal.com and 40/40 found negative.


-end of initiative-

so thanks again and Merry Xmas

Edited by Montar, 23 December 2009 - 04:33 AM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 23 December 2009 - 06:25 AM

OTL Fix step

Open OTL then do below..

Copy/paste the following into the Costum Scans/Fixes box and then click on Run Fix button.

:processes
explorer.exe

:services
cpwnt
qeyvyki

:OTL
[2009/12/12 12.33.45 | 00,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documenti\khw
[2009/12/12 12.28.44 | 00,000,000 | RHS- | M] () -- C:\khw
[2009/12/12 12.28.43 | 00,000,633 | RHS- | M] () -- C:\WINDOWS\System32\autorun.i
[2009/12/12 12.28.43 | 00,000,412 | RHS- | M] () -- C:\WINDOWS\System32\autorun.in
[2009/12/02 21.23.19 | 00,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documenti\khv
[2009/12/02 21.05.32 | 00,000,000 | RHS- | M] () -- C:\khv
[2009/12/12 12.33.45 | 00,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documenti\khw
[2009/12/12 12.28.44 | 00,000,000 | RHS- | C] () -- C:\khw
[2009/12/09 21.30.04 | 00,000,002 | ---- | C] () -- C:\WINDOWS\System32\krx260.dat
[2009/12/02 21.23.19 | 00,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documenti\khv
[2009/12/02 21.05.32 | 00,000,000 | RHS- | C] () -- C:\khv
[2009/12/02 21.03.40 | 00,000,633 | RHS- | C] () -- C:\WINDOWS\System32\autorun.i
[2009/12/02 21.03.40 | 00,000,412 | RHS- | C] () -- C:\WINDOWS\System32\autorun.in

:files
c:\temp\*.*

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

Let it run the fix. A log will then pop-up to your screen after the fix finish.. If it needs a reboot, just let it.. Post that log in your next reply...


Reboot the computer and run ComboFix once again.. Post both logs here

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 23 December 2009 - 11:23 AM

done.
got some problem with combofix (first run crashed in a sysem bluescreen :) ; second run crashed on screensaver :( ; 3rd take good :( )
After i ran Malwarebites and found an entry. :) Log at the end

=============================================================OTL log

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
Service cpwnt stopped successfully!
Service cpwnt deleted successfully!
Service qeyvyki stopped successfully!
Service qeyvyki deleted successfully!
========== OTL ==========
C:\Documents and Settings\All Users\Documenti\khw moved successfully.
C:\khw moved successfully.
C:\WINDOWS\system32\autorun.i moved successfully.
C:\WINDOWS\system32\autorun.in moved successfully.
C:\Documents and Settings\All Users\Documenti\khv moved successfully.
C:\khv moved successfully.
File C:\Documents and Settings\All Users\Documenti\khw not found.
File C:\khw not found.
C:\WINDOWS\system32\krx260.dat moved successfully.
File C:\Documents and Settings\All Users\Documenti\khv not found.
File C:\khv not found.
File C:\WINDOWS\System32\autorun.i not found.
File C:\WINDOWS\System32\autorun.in not found.
========== FILES ==========
c:\temp\log.txt moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Fabio
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6015132 bytes
->Java cache emptied: 30775874 bytes
->FireFox cache emptied: 61841969 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 94,00 mb


OTL by OldTimer - Version 3.1.19.0 log created on 12232009_154725

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

=============================================================Combofix log

ComboFix 09-12-20.08 - Fabio 23/12/2009 16.58.44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1015.511 [GMT 1:00]
Eseguito da: c:\documents and settings\Fabio\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Creati Da 2009-11-23 al 2009-12-23 )))))))))))))))))))))))))))))))))))
.

2009-12-23 15:58 . 2009-12-23 15:58 -------- d-----w- c:\temp\WPDNSE
2009-12-23 14:47 . 2009-12-23 14:47 -------- d-----w- C:\_OTL
2009-12-22 10:40 . 2009-12-20 16:21 3776280 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\setup.exe
2009-12-22 10:40 . 2009-12-20 16:21 4043032 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgui.exe
2009-12-22 10:40 . 2009-12-20 16:21 916248 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcfgx.dll
2009-12-22 10:40 . 2009-12-20 16:21 3967256 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcorex.dll
2009-12-21 22:26 . 2009-12-21 22:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-21 22:25 . 2009-12-21 22:25 -------- d-sh--w- c:\documents and settings\Fabio\IETldCache
2009-12-21 22:23 . 2009-12-21 22:23 -------- d-----w- c:\windows\ie8updates
2009-12-21 22:21 . 2009-12-21 22:21 -------- dc-h--w- c:\windows\ie8
2009-12-21 22:17 . 2009-10-29 07:40 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 22:17 . 2009-10-29 07:40 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 22:16 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-21 22:07 . 2009-12-21 22:07 -------- d-----w- c:\windows\ServicePackFiles
2009-12-21 22:02 . 2004-08-19 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-21 21:57 . 2009-12-23 08:21 -------- d-----w- c:\temp\NDP1.1sp1-KB953297-X86
2009-12-21 20:58 . 2009-12-21 20:58 -------- d-----w- c:\programmi\ERUNT
2009-12-20 20:59 . 2009-12-20 21:04 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-12-20 20:59 . 2009-12-20 21:02 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-12-20 17:22 . 2009-12-20 17:22 294656 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avglngx.dll
2009-12-20 17:22 . 2009-12-20 16:21 2352920 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgresf.dll
2009-12-20 17:09 . 2009-12-20 21:06 -------- d-----w- c:\temp\E1.tmp
2009-12-20 17:09 . 2009-12-20 21:06 -------- d-----w- c:\temp\E0.tmp
2009-12-20 16:22 . 2009-12-20 16:22 -------- d-----w- C:\$AVG
2009-12-20 16:21 . 2009-12-20 16:21 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-20 16:21 . 2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-20 16:21 . 2009-12-20 16:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-20 16:21 . 2009-12-20 16:21 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-20 16:21 . 2009-12-23 08:05 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\programmi\AVG
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2009-12-20 16:17 . 2009-12-20 21:06 -------- d-----w- c:\temp\7zSF.tmp
2009-12-20 16:16 . 2009-12-20 21:06 -------- d-----w- c:\temp\E.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\D.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\C.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\B.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\A.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\9.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\8.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\7.tmp
2009-12-20 16:15 . 2009-12-20 21:06 -------- d-----w- c:\temp\6.tmp
2009-12-20 16:14 . 2009-12-20 21:06 -------- d-----w- c:\temp\5.tmp
2009-12-20 14:09 . 2009-12-20 21:06 -------- d-----w- c:\temp\1AE.tmp
2009-12-20 13:59 . 2009-12-20 13:59 388096 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-20 13:59 . 2009-12-20 13:59 -------- d-----w- c:\programmi\HJT
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-19 20:04 -------- d-----w- c:\programmi\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 18:46 . 2009-12-19 18:46 -------- d-----w- c:\temp\MPTelemetrySubmit
2009-12-19 18:46 . 2009-11-02 19:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 18:28 . 2009-12-20 21:06 -------- d-----w- c:\temp\MPSampleSubmit
2009-12-19 18:11 . 2009-12-20 17:17 -------- d-----w- c:\programmi\Windows Live Safety Center
2009-12-19 17:36 . 2009-12-23 08:21 -------- d-----w- c:\temp\defs
2009-12-19 16:33 . 2009-12-19 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 16:07 . 2009-12-20 12:54 52224 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-18 15:58 . 2009-12-19 16:07 117760 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:58 . 2009-12-19 15:51 -------- d-----w- c:\programmi\SUPERAntiSpyware
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:57 . 2009-12-18 15:57 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-12-15 18:58 . 2008-09-17 19:39 139264 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird\Profiles\m5jhglnr.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2009-12-09 20:36 . 2009-12-09 20:36 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\File Renamer Basic
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\programmi\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Kristanix Software
2009-12-08 19:56 . 2009-12-08 20:03 -------- d-----w- c:\temp\plugtmp-3
2009-12-04 11:07 . 2009-12-04 11:07 -------- d-----w- c:\programmi\Widget vodafone.it
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\programmi\Common Files
2009-12-01 20:08 . 2009-02-11 07:47 2532344 ----a-w- c:\windows\system32\madiousb.dll
2009-12-01 20:08 . 2009-02-11 07:47 156552 ----a-w- c:\windows\system32\drivers\mausbft.sys
2009-12-01 20:08 . 2009-02-11 07:48 480264 ------w- c:\windows\system32\M-AudioTaskBarIcon.exe
2009-12-01 20:08 . 2009-02-11 07:47 32776 ----a-w- c:\windows\system32\mausbasio.dll
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{CC5A9A43-5BAB-4557-9CCD-206F0B5349BA}
2009-12-01 20:08 . 2009-12-20 21:06 -------- d-----w- c:\temp\{E31BAE7E-583A-4F4D-8B09-BDDBC46CD0E4}
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{BB7A7CC0-A40F-408C-BB4C-0D306A8046F0}
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{A80D64AC-CD11-48A9-B693-7515147BB98D}
2009-12-01 20:07 . 2009-12-20 21:06 -------- d-----w- c:\temp\{AA074FFE-2ACE-4D76-9893-D4792916E094}
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\temp\{79F6A335-58C1-4502-8DD4-5B9DC2105892}
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\temp\{297D98C7-FF95-4604-A583-49B4FEA7AEBC}
2009-11-29 21:31 . 2009-11-29 21:32 -------- d-----w- c:\programmi\JDownloader_portable
2009-11-29 21:31 . 2009-11-29 21:31 -------- d--h--w- c:\temp\Directory temporanea 1 per JDownloader_portable.zip
2009-11-28 11:49 . 2009-11-28 13:05 -------- d-----w- c:\temp\plugtmp-2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 14:47 . 2004-08-19 12:00 85198 ----a-w- c:\windows\system32\perfc010.dat
2009-12-23 14:47 . 2004-08-19 12:00 492552 ----a-w- c:\windows\system32\perfh010.dat
2009-12-23 12:06 . 2009-07-08 20:12 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-12-23 09:53 . 2007-07-22 12:17 -------- d-----w- c:\programmi\Vista Inspirat 2
2009-12-21 21:34 . 2005-10-19 13:35 874240 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-12-21 21:30 . 2009-12-21 21:30 874240 ----a-w- c:\windows\system32\drivers\iastor.tsk
2009-12-21 21:30 . 2009-05-03 20:04 -------- d-----w- c:\programmi\PowerArchiver
2009-12-20 20:51 . 2007-06-06 17:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Skype
2009-12-20 18:08 . 2008-04-24 09:23 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-12-20 17:30 . 2009-07-07 19:59 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\skypePM
2009-12-20 15:57 . 2007-06-06 17:50 150120 ----a-w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-20 13:35 . 2009-10-17 19:13 -------- d-----w- c:\programmi\Unlocker
2009-12-20 12:18 . 2007-06-06 18:02 -------- d-----w- c:\programmi\FastStone Image Viewer
2009-12-19 15:57 . 2009-07-07 19:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\uTorrent
2009-12-19 14:47 . 2008-11-18 20:34 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\foobar2000
2009-12-18 19:36 . 2007-02-26 19:28 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-12-18 17:23 . 2009-07-07 19:16 -------- d-----w- c:\programmi\uTorrent
2009-12-15 21:08 . 2007-11-02 18:01 -------- d-----w- c:\programmi\GGL
2009-12-15 20:34 . 2009-07-08 20:22 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird
2009-12-12 20:52 . 2009-09-30 18:53 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\vlc
2009-12-10 19:26 . 2009-07-25 12:38 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2009-12-10 19:26 . 2009-09-01 14:58 38784 ----a-w- c:\documents and settings\Default User\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-10 19:26 . 2009-07-25 12:38 38784 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 112290 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 -------- d-----w- c:\programmi\File Renamer
2009-12-04 11:05 . 2009-09-01 15:10 -------- d-----w- c:\programmi\Widget Vodafone
2009-12-01 20:08 . 2007-06-06 16:08 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-12-01 20:08 . 2007-10-08 18:49 -------- d-----w- c:\programmi\M-Audio
2009-11-21 23:10 . 2009-11-21 23:10 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-15 18:25 . 2009-11-08 14:17 -------- d-----w- c:\programmi\Telltale Games
2009-11-14 18:03 . 2009-11-14 18:03 -------- d-----w- c:\programmi\Real Alternative
2009-11-06 20:09 . 2009-11-06 20:03 -------- d-----w- c:\programmi\Debugging Tools for Windows (x86)
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-10-29 07:40 . 2004-08-19 12:00 907264 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 21:21 . 2009-10-28 21:21 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\GuitarScalesV2.0B5C8B79A3CD562BA8F498C43C64CF1A50D3A5C9.1
2009-10-28 21:10 . 2009-10-28 21:10 -------- d-----w- c:\programmi\GuitarScalesV2
2009-10-21 06:00 . 2004-08-19 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-19 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 18:29 . 2009-10-20 18:29 152576 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 14:58 . 2008-08-14 09:55 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 18:55 . 2007-04-13 14:40 10 ----a-w- c:\windows\popcinfo.dat
2009-10-13 10:51 . 2004-08-19 12:00 267776 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:51 . 2004-08-19 12:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:51 . 2004-08-19 12:00 112640 ----a-w- c:\windows\system32\rastls.dll
2009-10-02 18:32 . 2009-10-02 18:32 3638 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_575918af.exe
2009-10-02 18:32 . 2009-10-02 18:32 1078 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_57566eb2.exe
2009-10-02 18:32 . 2009-10-02 18:32 10134 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_1d527b86.exe
.

------- Sigcheck -------

[7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\ERDNT\cache\wuauclt.exe
[-] 2009-08-06 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
[-] 2009-08-06 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe
[-] 2008-04-14 . E8B6AF451AE34742DA3D9623F7E94EFD . 111616 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\wuauclt.exe

[7] 2009-10-29 . 83C2B9AD98490B6CC164FC2BA8F01CB6 . 5940736 . . [8.00.6001.18854] . . c:\windows\ERDNT\cache\mshtml.dll
[7] 2009-10-29 . 83C2B9AD98490B6CC164FC2BA8F01CB6 . 5940736 . . [8.00.6001.18854] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3GDR\mshtml.dll
[-] 2009-10-29 . DEEE6424944985AD74C959D463AAFB5B . 6214656 . . [8.00.6001.18854] . . c:\windows\system32\mshtml.dll
[-] 2009-10-29 . DEEE6424944985AD74C959D463AAFB5B . 6214656 . . [8.00.6001.18854] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2009-10-29 . 84068701B8A68CE44B329C24448337F0 . 5944320 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll
[7] 2009-10-29 . 84068701B8A68CE44B329C24448337F0 . 5944320 . . [8.00.6001.22945] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3QFE\mshtml.dll
[7] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB976325-IE8\mshtml.dll
[-] 2009-01-07 . F48F08F1D6B91570D11FCBFD63EC7775 . 5699584 . . [8.00.6001.22352] . . c:\windows\SoftwareDistribution\Download\878c259b1ed795ff5510c00851393d89\SP3QFE\mshtml.dll
[-] 2009-01-07 . DA6DB785A21B51C3932C0F02828D9670 . 5699584 . . [8.00.6001.18259] . . c:\windows\SoftwareDistribution\Download\878c259b1ed795ff5510c00851393d89\SP3GDR\mshtml.dll
[7] 2008-06-24 . 080DEB244585EB5772F6E6DEA75B4380 . 3592192 . . [7.00.6000.16705] . . c:\windows\ie8\mshtml.dll
[7] 2008-06-23 . 8E52FEC7D214C3B62871F8637F204114 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[-] 2008-04-14 . F543C74EB47E1C1DB9362BDFE06433EE . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\mshtml.dll
[-] 2008-03-01 . 890A3A1F2AE237DEC94E863CBE54ECBA . 3864576 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[7] 2008-03-01 . 14154D51ED61852B3AD4845103302ECE . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-03-23 . 03278E07A5E7076F2D74D57FB345F9AB . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2007-02-27 . 7F55B8063C1F50DF843743AF83B6435F . 3854848 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB947864-IE7\mshtml.dll
[7] 2006-11-07 . CBF04597F9CF7739E572276A2698FDD3 . 3577856 . . [7.00.5730.11] . . c:\windows\ie7updates\KB931768-IE7\mshtml.dll
[7] 2004-08-19 . B0D7B00D4FDC5BB8203E0A38D15CBAA2 . 3003392 . . [6.00.2900.2180] . . c:\windows\ie7\mshtml.dll

[7] 2009-10-29 . C519BD50898ED820C8F76DCAFA8C45F5 . 916480 . . [8.00.6001.18854] . . c:\windows\ERDNT\cache\wininet.dll
[7] 2009-10-29 . C519BD50898ED820C8F76DCAFA8C45F5 . 916480 . . [8.00.6001.18854] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3GDR\wininet.dll
[-] 2009-10-29 . B38ACF5FA3AE3E5837CEC43F6B46D78B . 907264 . . [8.00.6001.18854] . . c:\windows\system32\wininet.dll
[-] 2009-10-29 . B38ACF5FA3AE3E5837CEC43F6B46D78B . 907264 . . [8.00.6001.18854] . . c:\windows\system32\dllcache\wininet.dll
[7] 2009-10-29 . CA616511815109192BF0CB7EBD6AA566 . 916480 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll
[7] 2009-10-29 . CA616511815109192BF0CB7EBD6AA566 . 916480 . . [8.00.6001.22945] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3QFE\wininet.dll
[7] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB976325-IE8\wininet.dll
[7] 2008-06-23 . 4B54220877703198E55F61CB7B87979E . 826368 . . [7.00.6000.16705] . . c:\windows\ie8\wininet.dll
[7] 2008-06-23 . BF9D17259082632F03F3FF5759C6AE32 . 827904 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-04-14 . 663E74D98D2E67C1343D367388EDD711 . 668672 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\wininet.dll
[-] 2008-03-01 . 24E55CCA00171B7086B741213A2E4556 . 817152 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-03-01 . 93DB90BE4A10EC784DDC9C8601A28AA6 . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2007-03-23 . BC9EA33FE795C9734B76198FA50BA0AB . 823296 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[-] 2007-02-27 . D7514BAD0FCBAF2EBFC5AABCC3CC4F4C . 813568 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB947864-IE7\wininet.dll
[7] 2006-11-07 . 92995334F993E6E49C25C6D02EC04401 . 818688 . . [7.00.5730.11] . . c:\windows\ie7updates\KB931768-IE7\wininet.dll
[7] 2004-08-19 . 27966534A0820CD3BD988BD1517C8FF2 . 658944 . . [6.00.2900.2180] . . c:\windows\ie7\wininet.dll

[-] 2008-04-14 . 70D7F99D95615C3C278367756287DB71 . 1036288 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\explorer.exe
[-] 2007-06-13 . ADDD36BAC3ACB28C0F8E07C76FF65D3E . 977920 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . ADDD36BAC3ACB28C0F8E07C76FF65D3E . 977920 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2007-06-13 . B4E85805BE6D23DE697F7B3BA7492D0B . 1035776 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-19 . 6CB6D8BCB81D927BCCF8E2905EB8F274 . 976896 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\programmi\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"QlbCtrl"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"VirtualCloneDrive"="c:\programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SynTPStart"="c:\programmi\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-20 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\programmi\File comuni\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\Fabio\Menu Avvio\Programmi\Esecuzione automatica\
ERUNT AutoBackup.lnk - c:\programmi\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Stardock ObjectDock.lnk - c:\programmi\Stardock\ObjectDock\ObjectDock.exe [2009-7-25 3581680]
TransBar.lnk - c:\programmi\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
Y'z Shadow.lnk - c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-5-21 155648]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-2-27 581693]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Autodesk\\Chaos Group\\V-Ray\\vrlserver.exe"=
"c:\\Programmi\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\manager.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\server.exe"=
"c:\\Programmi\\uTorrent\\utorrent.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\JDownloader_portable\\CommonFiles\\Java\\bin\\javaw.exe"=
"c:\\Programmi\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Programmi\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:192.168.0.100/255.255.255.255:Enabled:@xpsp2res.dll,-22004
"9783:TCP"= 9783:TCP:*:Disabled:hocnus

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/12/2009 17.21.51 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/12/2009 17.21.58 360584]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16.26.58 9968]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16.26.56 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\programmi\AVG\AVG9\avgemc.exe [20/12/2009 17.21.20 906520]
R2 avg9wd;AVG Free WatchDog;c:\programmi\AVG\AVG9\avgwdsvc.exe [20/12/2009 17.21.13 285392]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [06/06/2007 17.08.28 88192]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [01/12/2009 21.08.35 156552]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16.27.00 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qeyvyki
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = msproxy.elsag.it:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
Trusted Zone: microsoft.com\windowsupdate
DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} - hxxp://www.vincolimap.it/ecwplugins/ncs.cab
FF - ProfilePath - c:\documents and settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (it)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - component: c:\programmi\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"="system32\Drivers\iastor.tsk"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1425521274-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,6f,a9,9b,20,e2,ea,3a,3f,f8,b0,31,26,d1,d7,ee,07,6a,9f,3f,61,
b2,b1,26,81,97,33,17,da,23,62,ad,76,22,de,a8,8a,e6,54,23,9f,0b,73,27,9d,6c,\
"rkeysecu"=hex:8c,6f,42,83,04,60,9e,22,4d,56,8b,2c,fd,1b,ff,cc
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2072)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
Ora fine scansione: 2009-12-23 17:05:50
ComboFix-quarantined-files.txt 2009-12-23 16:05

Pre-Run: 29.207.597.056 byte disponibili
Post-Run: 29.173.690.368 byte disponibili

- - End Of File - - C7C3FBF9D141F0FEA8E23F75A713AEE5


=============================================================Malwarebites log

Malwarebytes' Anti-Malware 1.42
Versione del database: 3415
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

23/12/2009 17.42.38
mbam-log-2009-12-23 (17-42-38).txt

Tipo di scansione: Scansione rapida
Elementi scansionati: 182214
Tempo trascorso: 8 minute(s), 22 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CURRENT_USER\SOFTWARE\uvc7jk640c (Trojan.Downloader) -> Quarantined and deleted successfully.

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)

===============================================An ESET scan:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=21ed6895d9ed114f903e0f9c52c1ddfe
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-23 08:28:18
# local_time=2009-12-23 09:28:18 (+0100, ora solare Europa occidentale)
# country="Italy"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 274964 274964 0 0
# compatibility_mode=8192 67108863 100 0 4182 4182 0 0
# scanned=47509
# found=0
# cleaned=0
# scan_time=2672

Edited by Montar, 23 December 2009 - 03:36 PM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 24 December 2009 - 07:02 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Folder::
c:\temp\7zSF.tmp
c:\temp\E.tmp
c:\temp\D.tmp
c:\temp\C.tmp
c:\temp\B.tmp
c:\temp\A.tmp
c:\temp\9.tmp
c:\temp\8.tmp
c:\temp\7.tmp
c:\temp\6.tmp
c:\temp\5.tmp
c:\temp\1AE.tmp
c:\temp\E1.tmp
c:\temp\E0.tmp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 25 December 2009 - 12:25 PM

ComboFix 09-12-24.02 - Fabio 25/12/2009 17.03.52.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1015.535 [GMT 1:00]
Eseguito da: c:\documents and settings\Fabio\Desktop\Combo-Fix.exe
Opzioni usate :: c:\documents and settings\Fabio\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\1AE.tmp
c:\temp\5.tmp
c:\temp\6.tmp
c:\temp\7.tmp
c:\temp\7zSF.tmp
c:\temp\8.tmp
c:\temp\9.tmp
c:\temp\A.tmp
c:\temp\B.tmp
c:\temp\C.tmp
c:\temp\D.tmp
c:\temp\E.tmp
c:\temp\E0.tmp
c:\temp\E1.tmp

.
((((((((((((((((((((((((( Files Creati Da 2009-11-25 al 2009-12-25 )))))))))))))))))))))))))))))))))))
.

2009-12-25 10:57 . 2009-12-25 11:01 -------- d-----w- c:\temp\plugtmp-4
2009-12-22 10:40 . 2009-12-20 16:21 3776280 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\setup.exe
2009-12-22 10:40 . 2009-12-20 16:21 4043032 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgui.exe
2009-12-22 10:40 . 2009-12-20 16:21 916248 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcfgx.dll
2009-12-22 10:40 . 2009-12-20 16:21 3967256 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcorex.dll
2009-12-21 22:26 . 2009-12-21 22:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-21 22:25 . 2009-12-21 22:25 -------- d-sh--w- c:\documents and settings\Fabio\IETldCache
2009-12-21 22:23 . 2009-12-21 22:23 -------- d-----w- c:\windows\ie8updates
2009-12-21 22:21 . 2009-12-21 22:21 -------- dc-h--w- c:\windows\ie8
2009-12-21 22:17 . 2009-10-29 07:40 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 22:17 . 2009-10-29 07:40 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 22:16 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-21 22:07 . 2009-12-21 22:07 -------- d-----w- c:\windows\ServicePackFiles
2009-12-21 22:02 . 2004-08-19 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-21 21:57 . 2009-12-23 08:21 -------- d-----w- c:\temp\NDP1.1sp1-KB953297-X86
2009-12-21 20:58 . 2009-12-21 20:58 -------- d-----w- c:\programmi\ERUNT
2009-12-20 20:59 . 2009-12-20 21:04 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-12-20 20:59 . 2009-12-20 21:02 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-12-20 17:22 . 2009-12-20 17:22 294656 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avglngx.dll
2009-12-20 17:22 . 2009-12-20 16:21 2352920 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgresf.dll
2009-12-20 16:22 . 2009-12-20 16:22 -------- d-----w- C:\$AVG
2009-12-20 16:21 . 2009-12-20 16:21 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-20 16:21 . 2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-20 16:21 . 2009-12-20 16:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-20 16:21 . 2009-12-20 16:21 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-20 16:21 . 2009-12-25 10:46 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\programmi\AVG
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2009-12-20 13:59 . 2009-12-20 13:59 388096 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-20 13:59 . 2009-12-20 13:59 -------- d-----w- c:\programmi\HJT
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-19 20:04 -------- d-----w- c:\programmi\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 18:46 . 2009-12-19 18:46 -------- d-----w- c:\temp\MPTelemetrySubmit
2009-12-19 18:46 . 2009-11-02 19:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 18:28 . 2009-12-20 21:06 -------- d-----w- c:\temp\MPSampleSubmit
2009-12-19 18:11 . 2009-12-20 17:17 -------- d-----w- c:\programmi\Windows Live Safety Center
2009-12-19 17:36 . 2009-12-23 08:21 -------- d-----w- c:\temp\defs
2009-12-19 16:33 . 2009-12-19 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 16:07 . 2009-12-23 16:53 52224 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-18 15:58 . 2009-12-23 16:53 117760 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:58 . 2009-12-19 15:51 -------- d-----w- c:\programmi\SUPERAntiSpyware
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:57 . 2009-12-18 15:57 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-12-15 18:58 . 2008-09-17 19:39 139264 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird\Profiles\m5jhglnr.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2009-12-09 20:36 . 2009-12-09 20:36 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\File Renamer Basic
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\programmi\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Kristanix Software
2009-12-08 19:56 . 2009-12-08 20:03 -------- d-----w- c:\temp\plugtmp-3
2009-12-04 11:07 . 2009-12-04 11:07 -------- d-----w- c:\programmi\Widget vodafone.it
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\programmi\Common Files
2009-12-01 20:08 . 2009-02-11 07:47 2532344 ----a-w- c:\windows\system32\madiousb.dll
2009-12-01 20:08 . 2009-02-11 07:47 156552 ----a-w- c:\windows\system32\drivers\mausbft.sys
2009-12-01 20:08 . 2009-02-11 07:48 480264 ------w- c:\windows\system32\M-AudioTaskBarIcon.exe
2009-12-01 20:08 . 2009-02-11 07:47 32776 ----a-w- c:\windows\system32\mausbasio.dll
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{CC5A9A43-5BAB-4557-9CCD-206F0B5349BA}
2009-12-01 20:08 . 2009-12-20 21:06 -------- d-----w- c:\temp\{E31BAE7E-583A-4F4D-8B09-BDDBC46CD0E4}
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{BB7A7CC0-A40F-408C-BB4C-0D306A8046F0}
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\temp\{A80D64AC-CD11-48A9-B693-7515147BB98D}
2009-12-01 20:07 . 2009-12-20 21:06 -------- d-----w- c:\temp\{AA074FFE-2ACE-4D76-9893-D4792916E094}
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\temp\{79F6A335-58C1-4502-8DD4-5B9DC2105892}
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\temp\{297D98C7-FF95-4604-A583-49B4FEA7AEBC}
2009-11-29 21:31 . 2009-11-29 21:32 -------- d-----w- c:\programmi\JDownloader_portable
2009-11-29 21:31 . 2009-11-29 21:31 -------- d--h--w- c:\temp\Directory temporanea 1 per JDownloader_portable.zip
2009-11-28 11:49 . 2009-11-28 13:05 -------- d-----w- c:\temp\plugtmp-2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 10:38 . 2007-06-06 17:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Skype
2009-12-24 10:18 . 2009-07-07 19:59 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\skypePM
2009-12-24 10:03 . 2009-09-30 18:53 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\vlc
2009-12-24 09:36 . 2009-07-07 19:16 -------- d-----w- c:\programmi\uTorrent
2009-12-23 21:15 . 2009-07-07 19:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\uTorrent
2009-12-23 14:47 . 2004-08-19 12:00 85198 ----a-w- c:\windows\system32\perfc010.dat
2009-12-23 14:47 . 2004-08-19 12:00 492552 ----a-w- c:\windows\system32\perfh010.dat
2009-12-23 12:06 . 2009-07-08 20:12 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-12-23 09:53 . 2007-07-22 12:17 -------- d-----w- c:\programmi\Vista Inspirat 2
2009-12-21 21:34 . 2005-10-19 13:35 874240 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-12-21 21:30 . 2009-12-21 21:30 874240 ----a-w- c:\windows\system32\drivers\iastor.tsk
2009-12-21 21:30 . 2009-05-03 20:04 -------- d-----w- c:\programmi\PowerArchiver
2009-12-20 18:08 . 2008-04-24 09:23 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-12-20 15:57 . 2007-06-06 17:50 150120 ----a-w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-20 13:35 . 2009-10-17 19:13 -------- d-----w- c:\programmi\Unlocker
2009-12-20 12:18 . 2007-06-06 18:02 -------- d-----w- c:\programmi\FastStone Image Viewer
2009-12-19 14:47 . 2008-11-18 20:34 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\foobar2000
2009-12-18 19:36 . 2007-02-26 19:28 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-12-15 21:08 . 2007-11-02 18:01 -------- d-----w- c:\programmi\GGL
2009-12-15 20:34 . 2009-07-08 20:22 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird
2009-12-10 19:26 . 2009-07-25 12:38 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2009-12-10 19:26 . 2009-09-01 14:58 38784 ----a-w- c:\documents and settings\Default User\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-10 19:26 . 2009-07-25 12:38 38784 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 112290 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 -------- d-----w- c:\programmi\File Renamer
2009-12-04 11:05 . 2009-09-01 15:10 -------- d-----w- c:\programmi\Widget Vodafone
2009-12-01 20:08 . 2007-06-06 16:08 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-12-01 20:08 . 2007-10-08 18:49 -------- d-----w- c:\programmi\M-Audio
2009-11-21 23:10 . 2009-11-21 23:10 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 16:38 . 2004-08-19 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 18:25 . 2009-11-08 14:17 -------- d-----w- c:\programmi\Telltale Games
2009-11-14 18:03 . 2009-11-14 18:03 -------- d-----w- c:\programmi\Real Alternative
2009-11-06 20:09 . 2009-11-06 20:03 -------- d-----w- c:\programmi\Debugging Tools for Windows (x86)
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-10-29 07:40 . 2004-08-19 12:00 907264 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 21:21 . 2009-10-28 21:21 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\GuitarScalesV2.0B5C8B79A3CD562BA8F498C43C64CF1A50D3A5C9.1
2009-10-28 21:10 . 2009-10-28 21:10 -------- d-----w- c:\programmi\GuitarScalesV2
2009-10-21 06:00 . 2004-08-19 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-19 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 18:29 . 2009-10-20 18:29 152576 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 14:58 . 2008-08-14 09:55 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 18:55 . 2007-04-13 14:40 10 ----a-w- c:\windows\popcinfo.dat
2009-10-13 10:51 . 2004-08-19 12:00 267776 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:51 . 2004-08-19 12:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:51 . 2004-08-19 12:00 112640 ----a-w- c:\windows\system32\rastls.dll
2009-10-02 18:32 . 2009-10-02 18:32 3638 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_575918af.exe
2009-10-02 18:32 . 2009-10-02 18:32 1078 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_57566eb2.exe
2009-10-02 18:32 . 2009-10-02 18:32 10134 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_1d527b86.exe
.

------- Sigcheck -------

[7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\ERDNT\cache\wuauclt.exe
[-] 2009-08-06 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
[-] 2009-08-06 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe
[-] 2008-04-14 . E8B6AF451AE34742DA3D9623F7E94EFD . 111616 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\wuauclt.exe

[7] 2009-10-29 . 83C2B9AD98490B6CC164FC2BA8F01CB6 . 5940736 . . [8.00.6001.18854] . . c:\windows\ERDNT\cache\mshtml.dll
[7] 2009-10-29 . 83C2B9AD98490B6CC164FC2BA8F01CB6 . 5940736 . . [8.00.6001.18854] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3GDR\mshtml.dll
[-] 2009-10-29 . DEEE6424944985AD74C959D463AAFB5B . 6214656 . . [8.00.6001.18854] . . c:\windows\system32\mshtml.dll
[-] 2009-10-29 . DEEE6424944985AD74C959D463AAFB5B . 6214656 . . [8.00.6001.18854] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2009-10-29 . 84068701B8A68CE44B329C24448337F0 . 5944320 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll
[7] 2009-10-29 . 84068701B8A68CE44B329C24448337F0 . 5944320 . . [8.00.6001.22945] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3QFE\mshtml.dll
[7] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB976325-IE8\mshtml.dll
[-] 2009-01-07 . F48F08F1D6B91570D11FCBFD63EC7775 . 5699584 . . [8.00.6001.22352] . . c:\windows\SoftwareDistribution\Download\878c259b1ed795ff5510c00851393d89\SP3QFE\mshtml.dll
[-] 2009-01-07 . DA6DB785A21B51C3932C0F02828D9670 . 5699584 . . [8.00.6001.18259] . . c:\windows\SoftwareDistribution\Download\878c259b1ed795ff5510c00851393d89\SP3GDR\mshtml.dll
[7] 2008-06-24 . 080DEB244585EB5772F6E6DEA75B4380 . 3592192 . . [7.00.6000.16705] . . c:\windows\ie8\mshtml.dll
[7] 2008-06-23 . 8E52FEC7D214C3B62871F8637F204114 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[-] 2008-04-14 . F543C74EB47E1C1DB9362BDFE06433EE . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\mshtml.dll
[-] 2008-03-01 . 890A3A1F2AE237DEC94E863CBE54ECBA . 3864576 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[7] 2008-03-01 . 14154D51ED61852B3AD4845103302ECE . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-03-23 . 03278E07A5E7076F2D74D57FB345F9AB . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2007-02-27 . 7F55B8063C1F50DF843743AF83B6435F . 3854848 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB947864-IE7\mshtml.dll
[7] 2006-11-07 . CBF04597F9CF7739E572276A2698FDD3 . 3577856 . . [7.00.5730.11] . . c:\windows\ie7updates\KB931768-IE7\mshtml.dll
[7] 2004-08-19 . B0D7B00D4FDC5BB8203E0A38D15CBAA2 . 3003392 . . [6.00.2900.2180] . . c:\windows\ie7\mshtml.dll

[7] 2009-10-29 . C519BD50898ED820C8F76DCAFA8C45F5 . 916480 . . [8.00.6001.18854] . . c:\windows\ERDNT\cache\wininet.dll
[7] 2009-10-29 . C519BD50898ED820C8F76DCAFA8C45F5 . 916480 . . [8.00.6001.18854] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3GDR\wininet.dll
[-] 2009-10-29 . B38ACF5FA3AE3E5837CEC43F6B46D78B . 907264 . . [8.00.6001.18854] . . c:\windows\system32\wininet.dll
[-] 2009-10-29 . B38ACF5FA3AE3E5837CEC43F6B46D78B . 907264 . . [8.00.6001.18854] . . c:\windows\system32\dllcache\wininet.dll
[7] 2009-10-29 . CA616511815109192BF0CB7EBD6AA566 . 916480 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll
[7] 2009-10-29 . CA616511815109192BF0CB7EBD6AA566 . 916480 . . [8.00.6001.22945] . . c:\windows\SoftwareDistribution\Download\187b16f73582b6a8b7dc832d41e9c0bc\SP3QFE\wininet.dll
[7] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB976325-IE8\wininet.dll
[7] 2008-06-23 . 4B54220877703198E55F61CB7B87979E . 826368 . . [7.00.6000.16705] . . c:\windows\ie8\wininet.dll
[7] 2008-06-23 . BF9D17259082632F03F3FF5759C6AE32 . 827904 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-04-14 . 663E74D98D2E67C1343D367388EDD711 . 668672 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\wininet.dll
[-] 2008-03-01 . 24E55CCA00171B7086B741213A2E4556 . 817152 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-03-01 . 93DB90BE4A10EC784DDC9C8601A28AA6 . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2007-03-23 . BC9EA33FE795C9734B76198FA50BA0AB . 823296 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[-] 2007-02-27 . D7514BAD0FCBAF2EBFC5AABCC3CC4F4C . 813568 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB947864-IE7\wininet.dll
[7] 2006-11-07 . 92995334F993E6E49C25C6D02EC04401 . 818688 . . [7.00.5730.11] . . c:\windows\ie7updates\KB931768-IE7\wininet.dll
[7] 2004-08-19 . 27966534A0820CD3BD988BD1517C8FF2 . 658944 . . [6.00.2900.2180] . . c:\windows\ie7\wininet.dll

[-] 2008-04-14 . 70D7F99D95615C3C278367756287DB71 . 1036288 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\explorer.exe
[-] 2007-06-13 . ADDD36BAC3ACB28C0F8E07C76FF65D3E . 977920 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . ADDD36BAC3ACB28C0F8E07C76FF65D3E . 977920 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2007-06-13 . B4E85805BE6D23DE697F7B3BA7492D0B . 1035776 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-19 . 6CB6D8BCB81D927BCCF8E2905EB8F274 . 976896 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\programmi\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"QlbCtrl"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"VirtualCloneDrive"="c:\programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SynTPStart"="c:\programmi\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-20 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\programmi\File comuni\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\Fabio\Menu Avvio\Programmi\Esecuzione automatica\
ERUNT AutoBackup.lnk - c:\programmi\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Stardock ObjectDock.lnk - c:\programmi\Stardock\ObjectDock\ObjectDock.exe [2009-7-25 3581680]
TransBar.lnk - c:\programmi\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
Y'z Shadow.lnk - c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-5-21 155648]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-2-27 581693]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Autodesk\\Chaos Group\\V-Ray\\vrlserver.exe"=
"c:\\Programmi\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\manager.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\server.exe"=
"c:\\Programmi\\uTorrent\\utorrent.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\JDownloader_portable\\CommonFiles\\Java\\bin\\javaw.exe"=
"c:\\Programmi\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Programmi\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:192.168.0.100/255.255.255.255:Enabled:@xpsp2res.dll,-22004
"9783:TCP"= 9783:TCP:*:Disabled:hocnus

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/12/2009 17.21.51 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/12/2009 17.21.58 360584]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16.26.58 9968]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16.26.56 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\programmi\AVG\AVG9\avgemc.exe [20/12/2009 17.21.20 906520]
R2 avg9wd;AVG Free WatchDog;c:\programmi\AVG\AVG9\avgwdsvc.exe [20/12/2009 17.21.13 285392]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [06/06/2007 17.08.28 88192]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [01/12/2009 21.08.35 156552]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16.27.00 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qeyvyki
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = msproxy.elsag.it:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
Trusted Zone: microsoft.com\windowsupdate
DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} - hxxp://www.vincolimap.it/ecwplugins/ncs.cab
FF - ProfilePath - c:\documents and settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (it)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - component: c:\programmi\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-25 17:11
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"="system32\Drivers\iastor.tsk"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1425521274-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,6f,a9,9b,20,e2,ea,3a,3f,f8,b0,31,26,d1,d7,ee,07,6a,9f,3f,61,
b2,b1,26,81,97,33,17,da,23,62,ad,76,22,de,a8,8a,e6,54,23,9f,0b,73,27,9d,6c,\
"rkeysecu"=hex:8c,6f,42,83,04,60,9e,22,4d,56,8b,2c,fd,1b,ff,cc
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(448)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\programmi\Stardock\ObjectDock\DockShellHook.dll
c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\AVG\AVG9\avgchsvx.exe
c:\programmi\AVG\AVG9\avgrsx.exe
c:\programmi\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\windows\system32\DRIVERS\CDANTSRV.EXE
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\AVG\AVG9\avgnsx.exe
c:\windows\system32\IoctlSvc.exe
c:\programmi\File comuni\Protexis\License Service\PsiService_2.exe
c:\programmi\Hewlett-Packard\Shared\hpqwmiex.exe
c:\programmi\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Ora fine scansione: 2009-12-25 17:17:42 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2009-12-25 16:17

Pre-Run: 30.860.451.840 byte disponibili
Post-Run: 30.851.710.976 byte disponibili

- - End Of File - - DC41F82D6B992B29ABD12A742C0B1BD6

=========================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.27.54, on 25/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\AVG\AVG9\avgchsvx.exe
C:\Programmi\AVG\AVG9\avgrsx.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\AVG\AVG9\avgwdsvc.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\IoctlSvc.exe
c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\AVG\AVG9\avgemc.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Programmi\Rainlendar2\Rainlendar2.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fabio\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.elsag.it:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Programmi\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Programmi\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programmi\ERUNT\AUTOBACK.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: TransBar.lnk = C:\Programmi\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: Y'z Shadow.lnk = C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247305945687
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247305930406
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcDcToday.ocx
O16 - DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
O16 - DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} (NCSLayeredView Class) - http://www.vincolimap.it/ecwplugins/ncs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcPreview.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe

--
End of file - 9266 bytes


p.s. the browser seems not to be redirected anymore, but the cpu usage seems not so regular (it's about 3% to 10-15% every 2 second on both CPUs...kind of sawtooth diagram. could it be the AVG resident shield CPU usage??)
can you tell so far which kind of virus/malware work(ed) on my machine??
thanks and Merry Xmas

Edited by Montar, 25 December 2009 - 05:34 PM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 25 December 2009 - 10:07 PM

Hi, sorry.. yesterday was very busy and I was very tired :(

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
qeyvyki

FCopy::
c:\windows\ERDNT\cache\wuauclt.exe | c:\windows\system32\wuauclt.exe
c:\windows\ERDNT\cache\mshtml.dll | c:\windows\system32\mshtml.dll
c:\windows\ERDNT\cache\wininet.dll | c:\windows\system32\wininet.dll
c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe | c:\windows\explorer.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

About CPU usage, please open Task Manager >> go to Processes tab >> click at CPU column and observe what process that eats most CPU utilization

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 26 December 2009 - 07:40 AM

About CPU usage: installed Process Explorer (as tutorial by bleepingcomputer) and find this ( I'm not really sure but I post...):

System:4 (PID4) uses about 10-12% CPUs every 2 secs
the thread that uses this CPU amount is: TID 440 - USBPORT.SYS+0x5e96
(it refers to USB 1.1 & 2.0 Port Driver 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158))

Stack for thread 440:
0 ntoskrnl.exe!ZwAssignProcessToJobObject+0x15
1 ntoskrnl.exe!KeQueryRuntimeThread+0x5e8
2 ntoskrnl.exe!CcPurgeCacheSection+0x240
3 USBPORT.SYS+0x5ed2
4 ntoskrnl.exe!RtlFreeHeap+0x211
5 ntoskrnl.exe!IoAllocateMdl+0x68

Now the logs:


ComboFix 09-12-22.09 - Fabio 26/12/2009 11.29.54.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1015.342 [GMT 1:00]
Eseguito da: c:\documents and settings\Fabio\Desktop\Combo-Fix.exe
Opzioni usate :: c:\documents and settings\Fabio\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ERDNT\cache\wuauclt.exe --> c:\windows\system32\wuauclt.exe
c:\windows\ERDNT\cache\mshtml.dll --> c:\windows\system32\mshtml.dll
c:\windows\ERDNT\cache\wininet.dll --> c:\windows\system32\wininet.dll
c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Creati Da 2009-11-26 al 2009-12-26 )))))))))))))))))))))))))))))))))))
.

2009-12-26 10:36 . 2009-12-26 10:36 -------- d-----w- c:\temp\WPDNSE
2009-12-26 09:58 . 2009-12-26 10:17 -------- d-----w- c:\temp\plugtmp
2009-12-25 23:33 . 2009-12-25 23:33 -------- d-----w- c:\temp\BTN%Copy%1
2009-12-25 22:48 . 2009-12-25 22:48 -------- d-sh--w- c:\documents and settings\Fabio\IECompatCache
2009-12-25 22:35 . 2009-12-25 22:36 -------- d-----w- c:\programmi\Process Explorer
2009-12-25 18:45 . 2009-12-25 18:45 -------- d-----w- c:\temp\nro.log
2009-12-22 10:40 . 2009-12-20 16:21 3776280 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\setup.exe
2009-12-22 10:40 . 2009-12-20 16:21 4043032 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgui.exe
2009-12-22 10:40 . 2009-12-20 16:21 916248 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcfgx.dll
2009-12-22 10:40 . 2009-12-20 16:21 3967256 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgcorex.dll
2009-12-21 22:26 . 2009-12-21 22:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-21 22:25 . 2009-12-21 22:25 -------- d-sh--w- c:\documents and settings\Fabio\IETldCache
2009-12-21 22:23 . 2009-12-21 22:23 -------- d-----w- c:\windows\ie8updates
2009-12-21 22:21 . 2009-12-21 22:21 -------- dc-h--w- c:\windows\ie8
2009-12-21 22:17 . 2009-10-29 07:40 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 22:17 . 2009-10-29 07:40 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 22:16 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-21 22:07 . 2009-12-21 22:07 -------- d-----w- c:\windows\ServicePackFiles
2009-12-21 22:02 . 2004-08-19 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-21 20:58 . 2009-12-21 20:58 -------- d-----w- c:\programmi\ERUNT
2009-12-20 20:59 . 2009-12-20 21:04 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-12-20 20:59 . 2009-12-20 21:02 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-12-20 17:22 . 2009-12-20 17:22 294656 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avglngx.dll
2009-12-20 17:22 . 2009-12-20 16:21 2352920 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgresf.dll
2009-12-20 16:22 . 2009-12-20 16:22 -------- d-----w- C:\$AVG
2009-12-20 16:21 . 2009-12-20 16:21 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-20 16:21 . 2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-20 16:21 . 2009-12-20 16:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-20 16:21 . 2009-12-20 16:21 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-20 16:21 . 2009-12-25 22:23 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\programmi\AVG
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 19:09 . 2009-12-19 19:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-12-19 19:09 . 2009-12-19 20:04 -------- d-----w- c:\programmi\Malwarebytes
2009-12-19 19:09 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 18:46 . 2009-11-02 19:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 18:11 . 2009-12-25 17:47 -------- d-----w- c:\programmi\Windows Live Safety Center
2009-12-19 16:33 . 2009-12-19 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 16:07 . 2009-12-23 16:53 52224 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-18 15:58 . 2009-12-23 16:53 117760 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:58 . 2009-12-19 15:51 -------- d-----w- c:\programmi\SUPERAntiSpyware
2009-12-18 15:58 . 2009-12-18 15:58 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\SUPERAntiSpyware.com
2009-12-18 15:57 . 2009-12-18 15:57 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-12-15 18:58 . 2008-09-17 19:39 139264 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird\Profiles\m5jhglnr.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2009-12-09 20:36 . 2009-12-09 20:36 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\File Renamer Basic
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\programmi\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\Xenocode
2009-12-09 20:29 . 2009-12-09 20:29 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Kristanix Software
2009-12-04 11:07 . 2009-12-04 11:07 -------- d-----w- c:\programmi\Widget vodafone.it
2009-12-01 20:08 . 2009-12-01 20:08 -------- d-----w- c:\programmi\Common Files
2009-12-01 20:08 . 2009-02-11 07:47 2532344 ----a-w- c:\windows\system32\madiousb.dll
2009-12-01 20:08 . 2009-02-11 07:47 156552 ----a-w- c:\windows\system32\drivers\mausbft.sys
2009-12-01 20:08 . 2009-02-11 07:48 480264 ------w- c:\windows\system32\M-AudioTaskBarIcon.exe
2009-12-01 20:08 . 2009-02-11 07:47 32776 ----a-w- c:\windows\system32\mausbasio.dll
2009-11-29 21:31 . 2009-11-29 21:32 -------- d-----w- c:\programmi\JDownloader_portable

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 09:56 . 2008-04-24 09:23 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-12-25 23:33 . 2008-11-18 20:34 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\foobar2000
2009-12-25 22:24 . 2009-07-08 20:12 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-12-25 22:22 . 2009-07-07 19:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\uTorrent
2009-12-25 22:21 . 2007-06-06 17:17 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Skype
2009-12-25 20:01 . 2009-07-07 19:59 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\skypePM
2009-12-25 19:38 . 2009-09-30 18:53 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\vlc
2009-12-24 09:36 . 2009-07-07 19:16 -------- d-----w- c:\programmi\uTorrent
2009-12-23 14:47 . 2004-08-19 12:00 85198 ----a-w- c:\windows\system32\perfc010.dat
2009-12-23 14:47 . 2004-08-19 12:00 492552 ----a-w- c:\windows\system32\perfh010.dat
2009-12-23 09:53 . 2007-07-22 12:17 -------- d-----w- c:\programmi\Vista Inspirat 2
2009-12-21 21:34 . 2005-10-19 13:35 874240 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-12-21 21:30 . 2009-12-21 21:30 874240 ----a-w- c:\windows\system32\drivers\iastor.tsk
2009-12-21 21:30 . 2009-05-03 20:04 -------- d-----w- c:\programmi\PowerArchiver
2009-12-20 15:57 . 2007-06-06 17:50 150120 ----a-w- c:\documents and settings\Fabio\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-20 13:35 . 2009-10-17 19:13 -------- d-----w- c:\programmi\Unlocker
2009-12-20 12:18 . 2007-06-06 18:02 -------- d-----w- c:\programmi\FastStone Image Viewer
2009-12-18 19:36 . 2007-02-26 19:28 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-12-15 21:08 . 2007-11-02 18:01 -------- d-----w- c:\programmi\GGL
2009-12-15 20:34 . 2009-07-08 20:22 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\Thunderbird
2009-12-10 19:26 . 2009-07-25 12:38 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2009-12-10 19:26 . 2009-09-01 14:58 38784 ----a-w- c:\documents and settings\Default User\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-10 19:26 . 2009-07-25 12:38 38784 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 112290 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2009-12-09 20:36 . 2009-04-04 17:11 -------- d-----w- c:\programmi\File Renamer
2009-12-04 11:05 . 2009-09-01 15:10 -------- d-----w- c:\programmi\Widget Vodafone
2009-12-01 20:08 . 2007-06-06 16:08 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-12-01 20:08 . 2007-10-08 18:49 -------- d-----w- c:\programmi\M-Audio
2009-11-21 23:10 . 2009-11-21 23:10 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 16:38 . 2004-08-19 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 18:25 . 2009-11-08 14:17 -------- d-----w- c:\programmi\Telltale Games
2009-11-14 18:03 . 2009-11-14 18:03 -------- d-----w- c:\programmi\Real Alternative
2009-11-06 20:09 . 2009-11-06 20:03 -------- d-----w- c:\programmi\Debugging Tools for Windows (x86)
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-11-02 19:53 . 2008-10-11 07:44 2516 --sha-w- c:\documents and settings\All Users\Dati applicazioni\KGyGaAvL.sys
2009-10-29 07:40 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 21:21 . 2009-10-28 21:21 -------- d-----w- c:\documents and settings\Fabio\Dati applicazioni\GuitarScalesV2.0B5C8B79A3CD562BA8F498C43C64CF1A50D3A5C9.1
2009-10-28 21:10 . 2009-10-28 21:10 -------- d-----w- c:\programmi\GuitarScalesV2
2009-10-21 06:00 . 2004-08-19 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-19 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 18:29 . 2009-10-20 18:29 152576 ----a-w- c:\documents and settings\Fabio\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 14:58 . 2008-08-14 09:55 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 18:55 . 2007-04-13 14:40 10 ----a-w- c:\windows\popcinfo.dat
2009-10-13 10:51 . 2004-08-19 12:00 267776 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:51 . 2004-08-19 12:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:51 . 2004-08-19 12:00 112640 ----a-w- c:\windows\system32\rastls.dll
2009-10-02 18:32 . 2009-10-02 18:32 3638 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_575918af.exe
2009-10-02 18:32 . 2009-10-02 18:32 1078 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_57566eb2.exe
2009-10-02 18:32 . 2009-10-02 18:32 10134 ----a-r- c:\documents and settings\Fabio\Dati applicazioni\Microsoft\Installer\{A725C340-77EE-11D6-BBC2-0000CB591583}\_1d527b86.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\programmi\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"QlbCtrl"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"VirtualCloneDrive"="c:\programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SynTPStart"="c:\programmi\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-20 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\programmi\File comuni\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\Fabio\Menu Avvio\Programmi\Esecuzione automatica\
Stardock ObjectDock.lnk - c:\programmi\Stardock\ObjectDock\ObjectDock.exe [2009-7-25 3581680]
TransBar.lnk - c:\programmi\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
Y'z Shadow.lnk - c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-5-21 155648]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-2-27 581693]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-20 16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Autodesk\\Chaos Group\\V-Ray\\vrlserver.exe"=
"c:\\Programmi\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\manager.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\server.exe"=
"c:\\Programmi\\uTorrent\\utorrent.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\JDownloader_portable\\CommonFiles\\Java\\bin\\javaw.exe"=
"c:\\Programmi\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Programmi\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:192.168.0.100/255.255.255.255:Enabled:@xpsp2res.dll,-22004
"9783:TCP"= 9783:TCP:*:Disabled:hocnus

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/12/2009 17.21.51 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/12/2009 17.21.58 360584]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16.26.58 9968]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16.26.56 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\programmi\AVG\AVG9\avgemc.exe [20/12/2009 17.21.20 906520]
R2 avg9wd;AVG Free WatchDog;c:\programmi\AVG\AVG9\avgwdsvc.exe [20/12/2009 17.21.13 285392]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [06/06/2007 17.08.28 88192]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [01/12/2009 21.08.35 156552]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16.27.00 7408]
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = msproxy.elsag.it:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
Trusted Zone: microsoft.com\windowsupdate
DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} - hxxp://www.vincolimap.it/ecwplugins/ncs.cab
FF - ProfilePath - c:\documents and settings\Fabio\Dati applicazioni\Mozilla\Firefox\Profiles\trxah4bk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (it)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - component: c:\programmi\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"="system32\Drivers\iastor.tsk"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1425521274-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,6f,a9,9b,20,e2,ea,3a,3f,f8,b0,31,26,d1,d7,ee,07,6a,9f,3f,61,
b2,b1,26,81,97,33,17,da,23,62,ad,76,22,de,a8,8a,e6,54,23,9f,0b,73,27,9d,6c,\
"rkeysecu"=hex:8c,6f,42,83,04,60,9e,22,4d,56,8b,2c,fd,1b,ff,cc
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3900)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\programmi\Stardock\ObjectDock\DockShellHook.dll
c:\programmi\Vista Inspirat 2\YzShadow\YzShadow.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\AVG\AVG9\avgchsvx.exe
c:\programmi\AVG\AVG9\avgrsx.exe
c:\programmi\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\windows\system32\DRIVERS\CDANTSRV.EXE
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\programmi\File comuni\Protexis\License Service\PsiService_2.exe
c:\programmi\AVG\AVG9\avgnsx.exe
c:\programmi\Hewlett-Packard\Shared\hpqwmiex.exe
c:\programmi\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
.
**************************************************************************
.
Ora fine scansione: 2009-12-26 11:42:11 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2009-12-26 10:42

Pre-Run: 30.368.710.656 byte disponibili
Post-Run: 30.314.246.144 byte disponibili

- - End Of File - - 432BA963B8B8B35B08E7739C7366C5BB

===================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.05.56, on 26/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\AVG\AVG9\avgchsvx.exe
C:\Programmi\AVG\AVG9\avgrsx.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Programmi\AVG\AVG9\avgwdsvc.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\IoctlSvc.exe
c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\AVG\AVG9\avgnsx.exe
C:\Programmi\AVG\AVG9\avgemc.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Programmi\Rainlendar2\Rainlendar2.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Fabio\Documenti\Davide\Antivirus\System report\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.elsag.it:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Programmi\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Programmi\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Programmi\File comuni\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 11.5.0.1145 (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: TransBar.lnk = C:\Programmi\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: Y'z Shadow.lnk = C:\Programmi\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247305945687
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247305930406
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcDcToday.ocx
O16 - DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
O16 - DPF: {D147430C-86CD-4E6F-A807-93FBC496D201} (NCSLayeredView Class) - http://www.vincolimap.it/ecwplugins/ncs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcPreview.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Programmi\File comuni\Protexis\License Service\PsiService_2.exe

--
End of file - 9004 bytes

Once again TNX and please take your time to reply. There's no hurry! You've have been soooo kind

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 26 December 2009 - 08:48 AM

Since you have Process Explorer.. Lets do below..
  • Doubleclick procexp.exe and click on File >> Save As
  • Save it as Procexp.txt in your Desktop..
  • Attach Procexp.txt here in your next reply..
Err.. How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 26 December 2009 - 09:05 AM

the computer is fine... a little bit slow on start up but I think it's AVG.
The browser hasn't been redirected for days now and everything looks "safe".
I've read about the USBSYS.exe and I've noticed it's a very common problem.
I think I'll try a 3rd party driver for usb port if I find a good one.
So for now everything is quite fine.

Attached Files



#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 26 December 2009 - 11:16 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :(



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 27 December 2009 - 06:37 AM

So many thanks. As posted before everything looks safe now.
Just one question: still having some doubleclick.net cookies in my FF session (blocked now by noscript and adblockplus) is it normal?
If it's normal please close this thread..... :-)
TNX for your time and patience
You did a really great work!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users