ZeroAcces Rootkit

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 7.0.6000.17106
Run by Paolo at 10:28:27 on 2012-11-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1014.582 [GMT 1:00]
.
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*
.
============== Running Processes ================
.
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Programmi\Acer\Acer eRecovery Management\NotificationLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\Programmi\Acer\Acer VCM\AcerVCM.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\Paolo\IMPOST~1\Temp\RtkBtMnt.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - <orphaned>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Guida per l'accesso a Windows Live: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - <orphaned>
BHO: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\programmi\yontoo layers runtime\YontooIEClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [ProductReg] c:\programmi\acer\wr_popup\ProductReg.exe
mRun: [IAAnotif] c:\programmi\intel\intel matrix storage manager\iaanotif.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\programmi\realtek\audio\drivers\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [NotificationCenterLauncher] c:\programmi\acer\acer erecovery management\NotificationLauncher.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\fileco~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\acervc~1.lnk - c:\programmi\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\bttray.lnk - c:\programmi\widcomm\bluetooth software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Invia a Bluetooth - c:\programmi\widcomm\bluetooth software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\programmi\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\programmi\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\programmi\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
TCP: NameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{E7FDCBCC-7A16-4DDE-8389-66DF192EFCF4} : DHCPNameServer = 62.101.93.101 83.103.25.250
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\programmi\acer\acer vcm\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMScheduler;MBAMScheduler;c:\programmi\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-14 399432]
R2 MBAMService;MBAMService;c:\programmi\malwarebytes' anti-malware\mbamservice.exe [2012-11-14 676936]
R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-3-28 145408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-11-14 22856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-1-16 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-11-14 09:28:35 -------- d-----w- c:\documents and settings\paolo\dati applicazioni\Malwarebytes
2012-11-14 09:28:27 -------- d-----w- c:\documents and settings\all users\dati applicazioni\Malwarebytes
2012-11-14 09:28:25 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-14 09:28:25 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2012-11-13 19:29:44 -------- d-s---w- C:\ComboFix
2012-11-13 18:52:48 98816 ----a-w- c:\windows\sed.exe
2012-11-13 18:52:48 256000 ----a-w- c:\windows\PEV.exe
2012-11-13 18:52:48 208896 ----a-w- c:\windows\MBR.exe
2012-11-13 18:24:35 -------- d-----w- c:\documents and settings\paolo\dati applicazioni\ParetoLogic
2012-11-13 18:24:35 -------- d-----w- c:\documents and settings\paolo\dati applicazioni\DriverCure
2012-11-13 18:24:27 -------- d-----w- c:\programmi\file comuni\ParetoLogic
2012-11-13 18:24:24 -------- d-----w- c:\programmi\ParetoLogic
2012-11-13 18:24:24 -------- d-----w- c:\documents and settings\all users\dati applicazioni\ParetoLogic
2012-11-13 18:08:26 -------- d-----w- c:\documents and settings\paolo\impostazioni locali\dati applicazioni\Avg2013
2012-11-12 22:29:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-12 17:09:48 -------- d-----w- c:\documents and settings\paolo\dati applicazioni\TuneUp Software
2012-11-12 16:57:57 -------- d--h--w- c:\documents and settings\all users\dati applicazioni\Common Files
2012-11-12 16:57:57 -------- d-----w- c:\documents and settings\paolo\impostazioni locali\dati applicazioni\MFAData
2012-11-12 16:57:57 -------- d-----w- c:\documents and settings\all users\dati applicazioni\MFAData
.
==================== Find3M ====================
.
2012-11-12 16:42:35 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-10-14 18:17:04 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-14 18:17:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 10.29.22,67 ===============

Thanks for your help,my previous topic was this one http://www.bleepingcomputer.com/forums/topic475029.html,maybe the info there could help

Ciao Paolo and on Bleeping Computer.

I will be helping with your computer problems.

Before to start please note the following:

• If you have since resolved the original problem you were having, we would appreciate you letting us know
• Do not make any changes on your own to the computer (installing/uninstall programs, deleting files, modifying the registry, running scanners or other tools, etc.) without instructions to do it
• Please read every post completely and perform all steps in the specified order. If you can't understand something or you encounter problems please stop and let me know
• Do not attach logs, use code or quote boxes. Just copy and paste the text unless directed otherwise
• Even if things appear to be better, it does not mean we have finished. Follow my instructions and reply back until I tell you that your computer is clean.
• Please reply using the Add Reply button in the lower right hand corner of your screen
• Please track this topic by clicking on the Watch Topic button on the top right on this tread => select Immediate Email Notification => click on Proceed button

I'm analyzing your logs, I will get back to you as soon as possible.


Regards

Hello Paolo .

From your clean computer please download AdwCleaner by Xplode and ComboFix by sUBs, then copy them on a USB Drive.
Now please boot your sick computer in Normal Mode, plug the USB drive into it and paste on your desktop the AdwCleaner and the Combofix applications, then:

1- Run AdwCleaner

• Close all open programs and internet browsers
• Double click on AdwCleaner icon to run the tool
• Click on Delete
• Confirm each time with Ok
• You will be prompted to restart your computer; a text file will open after the restart
• Close it and quit AdwCleaner

2- Run Combofix

• Close/disable all anti-virus and anti-malware programs. Refer to this page if you are not sure how
• Close any open windows
• Double click on ComboFix.exe and follow the prompts
• When ComboFix asks for installing the Recovery Console, click on the No button to start the scan
• During the scan leave your sick computer alone and do not mouseclick combofix's window, it may cause it to stall
• If ComboFix asks to restart your computer, allow it to do so
• When finished, it will produce and display a report; close it

When done, copy the C:\ComboFix.txt and the C:\AdwCleaner[S1].txt files from the sick computer to the USB Drive, plug the USB drive in your clean computer and post their contents in your next reply.


Regards

ComboFix 12-11-16.02 - Paolo 19/11/2012 18.17.50.1.2 - x86
Eseguito da: C:\Documents and Settings\Paolo\Desktop\ComboFix.exe
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!


((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dds_trash_log.cmd
C:\WINDOWS\system32\SET66.tmp
C:\WINDOWS\system32\SET6A.tmp
C:\WINDOWS\system32\SET72.tmp

C:\WINDOWS\system32\drivers\ipsec.sys was missing
ipristinata copia da - C:\WINDOWS\system32\dllcache\ipsec.sys


((((((((((((((((((((((((( Files Creati Da 2012-10-19 al 2012-11-19 )))))))))))))))))))))))))))))))))))


2012-11-19 17:24:19 . 2008-04-14 12:00:00 75264 -c--a-w- C:\WINDOWS\system32\dllcache\ipsec.sys
2012-11-19 17:24:19 . 2008-04-14 12:00:00 75264 ----a-w- C:\WINDOWS\system32\drivers\ipsec.sys
2012-11-14 09:28:27 . 2012-11-14 09:28:27 -------- d-----w- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2012-11-14 09:28:25 . 2012-11-14 09:28:28 -------- d-----w- C:\Programmi\Malwarebytes' Anti-Malware
2012-11-14 09:28:25 . 2012-09-29 18:54:26 22856 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-11-13 18:24:27 . 2012-11-13 18:24:27 -------- d-----w- C:\Programmi\File comuni\ParetoLogic
2012-11-13 18:24:24 . 2012-11-13 18:24:27 -------- d-----w- C:\Documents and Settings\All Users\Dati applicazioni\ParetoLogic
2012-11-13 18:24:24 . 2012-11-13 18:24:24 -------- d-----w- C:\Programmi\ParetoLogic
2012-11-12 22:29:54 . 2012-11-12 22:29:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-12 16:57:57 . 2012-11-13 18:08:49 -------- d-----w- C:\Documents and Settings\All Users\Dati applicazioni\MFAData
2012-11-12 16:57:57 . 2012-11-12 16:57:57 -------- d--h--w- C:\Documents and Settings\All Users\Dati applicazioni\Common Files
2012-11-12 16:54:08 . 2012-11-15 09:26:28 -------- d-----w- C:\Documents and Settings\Paolo
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

2012-10-14 18:17:04 . 2012-05-22 14:47:04 696760 ----a-w- C:\WINDOWS\system32\FlashPlayerApp.exe
2012-10-14 18:17:03 . 2012-05-22 14:47:04 73656 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl


((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))


*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"="C:\Programmi\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 08:47:56 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 16:54:40 178712]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-26 08:20:48 18081280]
"AzMixerSel"="C:\Programmi\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 10:45:50 53248]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 01:00:20 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 01:00:04 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 01:00:14 137752]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 02:32:16 1430824]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2008-12-30 07:09:52 875016]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 01:38:00 34672]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 12:00:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 12:00:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 12:00:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 12:00:00 455168]
"NotificationCenterLauncher"="C:\Programmi\Acer\Acer eRecovery Management\NotificationLauncher.exe" [2008-12-22 11:00:40 225280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 12:00:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 03:13:08 434080]

C:\Documents and Settings\bea\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer VCM.lnk - C:\Programmi\Acer\Acer VCM\AcerVCM.exe [2009-1-16 565248]
BTTray.lnk - C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2007-11-1 576104]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Acer\\Acer VCM\\VC.exe"=
"C:\\Documents and Settings\\bea\\Impostazioni locali\\Dati applicazioni\\Google\\Chrome\\Application\\chrome.exe"=

R2 MBAMScheduler;MBAMScheduler;C:\Programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe [14/11/2012 10.28.26 399432]
R2 MBAMService;MBAMService;C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe [14/11/2012 10.28.26 676936]
R3 M3000Srv;WebCam Driver;C:\WINDOWS\system32\drivers\M3000KNT.sys [28/03/2009 1.38.36 145408]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [14/11/2012 10.28.25 22856]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\WINDOWS\system32\drivers\RTS5121.sys [16/01/2009 2.33.02 160256]
S3 Rts516xIR;Realtek IR Driver;C:\WINDOWS\system32\DRIVERS\Rts516xIR.sys --> C:\WINDOWS\system32\DRIVERS\Rts516xIR.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ATIVTUTW

Contenuto della cartella 'Scheduled Tasks'

2012-11-15 C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-22 14:47:07 . 2012-10-14 18:17:07]

2012-11-19 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Programmi\Google\Update\GoogleUpdate.exe [2010-03-22 20:43:57 . 2010-03-22 20:43:50]

2012-11-15 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Programmi\Google\Update\GoogleUpdate.exe [2010-03-22 20:43:57 . 2010-03-22 20:43:50]

2012-11-12 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1157166300-2014835873-67682326-1005Core.job
- C:\Documents and Settings\bea\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-11 14:02:52 . 2010-03-22 20:53:08]

2012-11-15 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1157166300-2014835873-67682326-1005UA.job
- C:\Documents and Settings\bea\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-11 14:02:52 . 2010-03-22 20:53:08]

2012-11-19 C:\WINDOWS\Tasks\ParetoLogic Registration3.job
- C:\Programmi\File comuni\ParetoLogic\UUS3\UUS3.dll [2011-04-06 15:53:08 . 2011-04-06 15:53:08]

2012-11-13 C:\WINDOWS\Tasks\ParetoLogic Update Version3.job
- C:\Programmi\File comuni\ParetoLogic\UUS3\Pareto_Update3.exe [2011-04-06 15:53:06 . 2011-04-06 15:53:06]

2012-11-13 C:\WINDOWS\Tasks\PC Health Advisor Defrag.job
- C:\Programmi\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17:48 . 2011-03-29 23:17:48]

2012-11-13 C:\WINDOWS\Tasks\PC Health Advisor.job
- C:\Programmi\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17:48 . 2011-03-29 23:17:48]


------- Scansione supplementare -------

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
IE: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 62.101.93.101 83.103.25.250

- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-40352117.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-AssaultCube_v1.1.0.4 - C:\Programmi\AssaultCube_v1.1.0.4\uninstall.exe
AddRemove-Microsoft Visual Basic 2010 Express - ENU - c:\Programmi\Microsoft Visual Studio 10.0\Microsoft Visual Basic 2010 Express - ENU\setup.exe


# AdwCleaner v2.008 - Logfile creato il 19/11/2012 alle 17:56:46
# Aggiornamento 17/11/2012 by Xplode
# Sistema Operativo : Microsoft Windows XP Service Pack 3 (32 bits)
# Utente : Paolo - BEATRICE
# Modalit‡ Avvio : Modalit‡ Normale
# Eseguito da : C:\Documents and Settings\Paolo\Desktop\AdwCleaner.exe
# Opzioni [Elimina]


***** [Servizi] *****


***** [File / Cartelle] *****

Cartella Eliminato : C:\Documents and Settings\All Users\Dati applicazioni\Tarma Installer
Cartella Eliminato : C:\Programmi\Yontoo Layers Runtime

***** [Registro] *****

Chiave Eliminata : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Chiave Eliminata : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Chiave Eliminata : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Chiave Eliminata : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Chiave Eliminata : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Chiave Eliminata : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Chiave Eliminata : HKLM\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Chiave Eliminata : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Chiave Eliminata : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Chiave Eliminata : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Chiave Eliminata : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Chiave Eliminata : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Chiave Eliminata : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Chiave Eliminata : HKLM\SOFTWARE\Classes\YontooIEClient.Layers
Chiave Eliminata : HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1
Chiave Eliminata : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Chiave Eliminata : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Chiave Eliminata : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Chiave Eliminata : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Chiave Eliminata : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Chiave Eliminata : HKLM\Software\Tarma Installer

***** [Browser Internet] *****

-\\ Internet Explorer v7.0.5730.13

[OK] Registro Pulito.

*************************

AdwCleaner[S1].txt - [2579 octets] - [19/11/2012 17:56:46]

########## EOF - C:\AdwCleaner[S1].txt - [2639 octets] ##########


thanks,now internet works ^^ anyway,if we have finished here,can i ask u a suggestion for a good free antivrus? i don't want to get those virus again ;)

Hello Paolo ,

the Combofix log seems incomplete.
Could you past the entire contents of this log in your next reply?

In the meantime please refrain to connect that machine to the internet.
ZA has backdoor functionality, and this allows crackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
In case you discover that your sensitive information were stolen, you should contact the Polizia Postale.

Notice that your PC may be compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.
Please read these for more information:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Please let me know what you decide to do.

About your question on the AntiVirus, the question is a little bit more complex than it may seem.
A good Antivirus certainly may help to avoid malware infections, but there are some other things to do in order to hardening your machine.
At the end of the topic I'll give you some tips about this.


Regards

This is the complete log

ComboFix 12-11-16.02 - Paolo 19/11/2012 18.17.50.1.2 - x86
Eseguito da: C:\Documents and Settings\Paolo\Desktop\ComboFix.exe
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!


((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dds_trash_log.cmd
C:\WINDOWS\system32\SET66.tmp
C:\WINDOWS\system32\SET6A.tmp
C:\WINDOWS\system32\SET72.tmp

C:\WINDOWS\system32\drivers\ipsec.sys was missing
ipristinata copia da - C:\WINDOWS\system32\dllcache\ipsec.sys


((((((((((((((((((((((((( Files Creati Da 2012-10-19 al 2012-11-19 )))))))))))))))))))))))))))))))))))


2012-11-19 17:24:19 . 2008-04-14 12:00:00 75264 -c--a-w- C:\WINDOWS\system32\dllcache\ipsec.sys
2012-11-19 17:24:19 . 2008-04-14 12:00:00 75264 ----a-w- C:\WINDOWS\system32\drivers\ipsec.sys
2012-11-14 09:28:27 . 2012-11-14 09:28:27 -------- d-----w- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2012-11-14 09:28:25 . 2012-11-14 09:28:28 -------- d-----w- C:\Programmi\Malwarebytes' Anti-Malware
2012-11-14 09:28:25 . 2012-09-29 18:54:26 22856 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-11-13 18:24:27 . 2012-11-13 18:24:27 -------- d-----w- C:\Programmi\File comuni\ParetoLogic
2012-11-13 18:24:24 . 2012-11-13 18:24:27 -------- d-----w- C:\Documents and Settings\All Users\Dati applicazioni\ParetoLogic
2012-11-13 18:24:24 . 2012-11-13 18:24:24 -------- d-----w- C:\Programmi\ParetoLogic
2012-11-12 22:29:54 . 2012-11-12 22:29:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-12 16:57:57 . 2012-11-13 18:08:49 -------- d-----w- C:\Documents and Settings\All Users\Dati applicazioni\MFAData
2012-11-12 16:57:57 . 2012-11-12 16:57:57 -------- d--h--w- C:\Documents and Settings\All Users\Dati applicazioni\Common Files
2012-11-12 16:54:08 . 2012-11-15 09:26:28 -------- d-----w- C:\Documents and Settings\Paolo
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

2012-10-14 18:17:04 . 2012-05-22 14:47:04 696760 ----a-w- C:\WINDOWS\system32\FlashPlayerApp.exe
2012-10-14 18:17:03 . 2012-05-22 14:47:04 73656 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl


((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))


*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"="C:\Programmi\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 08:47:56 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 16:54:40 178712]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-26 08:20:48 18081280]
"AzMixerSel"="C:\Programmi\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 10:45:50 53248]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 01:00:20 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 01:00:04 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 01:00:14 137752]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 02:32:16 1430824]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2008-12-30 07:09:52 875016]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 01:38:00 34672]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 12:00:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 12:00:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 12:00:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 12:00:00 455168]
"NotificationCenterLauncher"="C:\Programmi\Acer\Acer eRecovery Management\NotificationLauncher.exe" [2008-12-22 11:00:40 225280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 12:00:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 03:13:08 434080]

C:\Documents and Settings\bea\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer VCM.lnk - C:\Programmi\Acer\Acer VCM\AcerVCM.exe [2009-1-16 565248]
BTTray.lnk - C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2007-11-1 576104]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Acer\\Acer VCM\\VC.exe"=
"C:\\Documents and Settings\\bea\\Impostazioni locali\\Dati applicazioni\\Google\\Chrome\\Application\\chrome.exe"=

R2 MBAMScheduler;MBAMScheduler;C:\Programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe [14/11/2012 10.28.26 399432]
R2 MBAMService;MBAMService;C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe [14/11/2012 10.28.26 676936]
R3 M3000Srv;WebCam Driver;C:\WINDOWS\system32\drivers\M3000KNT.sys [28/03/2009 1.38.36 145408]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [14/11/2012 10.28.25 22856]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\WINDOWS\system32\drivers\RTS5121.sys [16/01/2009 2.33.02 160256]
S3 Rts516xIR;Realtek IR Driver;C:\WINDOWS\system32\DRIVERS\Rts516xIR.sys --> C:\WINDOWS\system32\DRIVERS\Rts516xIR.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ATIVTUTW

Contenuto della cartella 'Scheduled Tasks'

2012-11-15 C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-22 14:47:07 . 2012-10-14 18:17:07]

2012-11-19 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Programmi\Google\Update\GoogleUpdate.exe [2010-03-22 20:43:57 . 2010-03-22 20:43:50]

2012-11-15 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Programmi\Google\Update\GoogleUpdate.exe [2010-03-22 20:43:57 . 2010-03-22 20:43:50]

2012-11-12 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1157166300-2014835873-67682326-1005Core.job
- C:\Documents and Settings\bea\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-11 14:02:52 . 2010-03-22 20:53:08]

2012-11-15 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1157166300-2014835873-67682326-1005UA.job
- C:\Documents and Settings\bea\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-11 14:02:52 . 2010-03-22 20:53:08]

2012-11-19 C:\WINDOWS\Tasks\ParetoLogic Registration3.job
- C:\Programmi\File comuni\ParetoLogic\UUS3\UUS3.dll [2011-04-06 15:53:08 . 2011-04-06 15:53:08]

2012-11-13 C:\WINDOWS\Tasks\ParetoLogic Update Version3.job
- C:\Programmi\File comuni\ParetoLogic\UUS3\Pareto_Update3.exe [2011-04-06 15:53:06 . 2011-04-06 15:53:06]

2012-11-13 C:\WINDOWS\Tasks\PC Health Advisor Defrag.job
- C:\Programmi\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17:48 . 2011-03-29 23:17:48]

2012-11-13 C:\WINDOWS\Tasks\PC Health Advisor.job
- C:\Programmi\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17:48 . 2011-03-29 23:17:48]


------- Scansione supplementare -------

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
IE: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 62.101.93.101 83.103.25.250

- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-40352117.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-AssaultCube_v1.1.0.4 - C:\Programmi\AssaultCube_v1.1.0.4\uninstall.exe
AddRemove-Microsoft Visual Basic 2010 Express - ENU - c:\Programmi\Microsoft Visual Studio 10.0\Microsoft Visual Basic 2010 Express - ENU\setup.exe

thank you again for ur help,i hope the situation can be solved as much as possible

Hi Paolo ,

this log appears to be exactly the same that you have already posted.

In your log there should be other sections similar to these after the contents that you have posted

**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-19 19:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ... 
.
scansione entrate autostart nascoste ... 
.
Scansione files nascosti ... 
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-813497703-1202660629-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,ff,56,00,c5,2f,66,42,bf,ed,b9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,05,fa,00,c6,d3,12,c7,4e,b2,72,c6,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,ff,56,00,c5,2f,66,42,bf,ed,b9,\
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Ora fine scansione: 2012-11-19  20:01:16
ComboFix-quarantined-files.txt  2012-11-19 19:01
ComboFix2.txt  2012-11-15 17:59
ComboFix3.txt  2012-11-14 19:05
ComboFix4.txt  2012-11-13 19:40
ComboFix5.txt  2012-11-15 18:02
.
Pre-Run: 4.190.068.736 byte disponibili
Post-Run: 4.212.867.072 byte disponibili
.
- - End Of File - - FE3C7936E29ECA66844E845A5D2807B6

Please check the log and then post it with all sections.


Regards

I'm sure that what i posted is the full content of the log from combofix,what should i have to do?have i to start it again?

Hello Paolo ,

I think is better to run again ComboFix.
This time please be sure to disable the Antivirus.

1- Run Combofix

• Close/disable all anti-virus and anti-malware programs. Refer to this page if you are not sure how
• Close any open windows
• Double click on ComboFix.exe and follow the prompts
• When ComboFix asks for installing the Recovery Console, click on the No button to start the scan
• During the scan leave your sick computer alone and do not mouseclick combofix's window, it may cause it to stall
• If ComboFix asks to restart your computer, allow it to do so
• When finished, it will produce and display a report; close it

When done, from your clean computer please post the contents of the log your next reply.


Regards

i got a problem:when i start combofix it says that this antivirus are active:
avg 2013
mcafee viruscan
immunet 3.0

but actually are not even istalled,i tried to install them weeks ago,but i thought i had unistalled,and they actually can't be find in the computer
what i have to do?
anyway now i'm usigin avast as antivirus,but i disbled it succesfuly

Hello Paolo,

in the previous log there was McAfee installed, now is there Avast?
Please do not make further changes on your own computer without instructions to do it until we have finished here. May be dangerous and it could lengthen the time to solve the problem.

Try to start ComboFix following these instructions:

• Disable all Avast protections
• Click on Start => Esegui.. and type in the blank field "%userprofile%\desktop\ComboFix.exe" /killall
• Click OK

Once done, from your clean computer please post the contents of the latest log in your next reply.
Please let me know about any issues you may encounter.


Regards

i started combofix with that comand but it says the same thing as before
have i to run combofix anyway?

Hello Paolo ,

lets try to use the removers for the AV that you have previously installed.
Please download from your clean computer these applications:

• AVG Remover
• MCPRT
• Immunet Protect Removal Tool

next run them on your sick machine.

If after this ComboFix shows again the warning about the detection of the installed Antivirus, proceed anyway.


Regards

ComboFix 12-11-24.02 - Paolo 25/11/2012 18.53.21.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1014.629 [GMT 1:00]
Eseguito da: c:\documents and settings\Paolo\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Immunet 3.0 *Enabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Services.reg
c:\windows\system32\Desktop_.ini
.
---- Esecuzione precedente -------
.
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\SET66.tmp
c:\windows\system32\SET6A.tmp
c:\windows\system32\SET72.tmp
.
-- Esecuzione precedente --
.
c:\windows\system32\drivers\ipsec.sys was missing
ipristinata copia da - c:\windows\system32\dllcache\ipsec.sys
.
--------
.
.
((((((((((((((((((((((((( Files Creati Da 2012-10-25 al 2012-11-25 )))))))))))))))))))))))))))))))))))
.
.
2012-11-21 19:50 . 2012-11-21 19:53 -------- d-----w- c:\programmi\Microsoft Games
2012-11-21 19:04 . 2012-11-21 19:04 466008 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-11-21 19:04 . 2012-11-21 19:04 -------- d-----w- c:\programmi\DAEMON Tools Lite
2012-11-21 19:03 . 2012-11-21 19:24 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\DAEMON Tools Lite
2012-11-19 23:30 . 2012-11-20 00:28 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\CheckPoint
2012-11-19 23:28 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-11-19 23:28 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-11-19 23:28 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-11-19 23:28 . 2012-10-30 22:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-11-19 23:28 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-11-19 23:28 . 2012-10-30 22:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-11-19 23:28 . 2012-10-30 22:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-11-19 23:28 . 2012-10-30 22:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-11-19 23:27 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2012-11-19 23:27 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-11-19 23:26 . 2012-11-19 23:26 -------- d-----w- c:\programmi\AVAST Software
2012-11-19 23:26 . 2012-11-19 23:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AVAST Software
2012-11-19 17:45 . 2012-11-19 17:45 -------- d-----w- c:\programmi\Mozilla Maintenance Service
2012-11-19 17:24 . 2008-04-14 12:00 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-11-19 17:24 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-11-14 09:28 . 2012-11-14 09:28 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2012-11-14 09:28 . 2012-11-14 09:28 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2012-11-14 09:28 . 2012-09-29 18:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-13 18:24 . 2012-11-13 18:24 -------- d-----w- c:\programmi\File comuni\ParetoLogic
2012-11-13 18:24 . 2012-11-13 18:24 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\ParetoLogic
2012-11-13 18:24 . 2012-11-13 18:24 -------- d-----w- c:\programmi\ParetoLogic
2012-11-12 22:29 . 2012-11-12 22:29 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-12 16:57 . 2012-11-12 16:57 -------- d--h--w- c:\documents and settings\All Users\Dati applicazioni\Common Files
2012-11-12 16:54 . 2012-11-25 17:50 -------- d-----w- c:\documents and settings\Paolo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-20 00:38 . 2012-05-22 14:47 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-20 00:38 . 2012-05-22 14:47 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 19:56 . 2009-01-16 09:24 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2009-01-16 09:24 58368 ----a-w- c:\windows\system32\synceng.dll
2012-10-24 17:50 . 2012-11-19 17:45 261600 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\programmi\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"="c:\programmi\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 135168]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2012-11-06 3673728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-26 18081280]
"AzMixerSel"="c:\programmi\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NotificationCenterLauncher"="c:\programmi\Acer\Acer eRecovery Management\NotificationLauncher.exe" [2008-12-22 225280]
"avast"="c:\programmi\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\bea\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\programmi\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer VCM.lnk - c:\programmi\Acer\Acer VCM\AcerVCM.exe [2009-1-16 565248]
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2007-11-1 576104]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Acer\\Acer VCM\\VC.exe"=
"c:\\Documents and Settings\\bea\\Impostazioni locali\\Dati applicazioni\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Paolo\\Documenti\\Age of Empires II\\empires2.exe"=
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [20/11/2012 0.28.02 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [20/11/2012 0.28.05 361032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20/11/2012 0.28.05 21256]
R2 MBAMScheduler;MBAMScheduler;c:\programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe [14/11/2012 10.28.26 399432]
R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [14/11/2012 10.28.26 676936]
R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [28/03/2009 1.38.36 145408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [14/11/2012 10.28.25 22856]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [16/01/2009 2.33.02 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ATIVTUTW
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-11-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-22 00:38]
.
2012-11-25 c:\windows\Tasks\avast! Emergency Update.job
- c:\programmi\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-19 22:50]
.
2012-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-03-22 20:43]
.
2012-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-03-22 20:43]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1157166300-2014835873-67682326-1005Core.job
- c:\documents and settings\bea\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-11 20:53]
.
2012-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1157166300-2014835873-67682326-1005UA.job
- c:\documents and settings\bea\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-11 20:53]
.
2012-11-19 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\programmi\File comuni\ParetoLogic\UUS3\UUS3.dll [2011-04-06 15:53]
.
2012-11-13 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\programmi\File comuni\ParetoLogic\UUS3\Pareto_Update3.exe [2011-04-06 15:53]
.
2012-11-13 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\programmi\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2012-11-13 c:\windows\Tasks\PC Health Advisor.job
- c:\programmi\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0310&m=aspire_one
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Paolo\Dati applicazioni\Mozilla\Firefox\Profiles\n5xc7rmk.default\
FF - ExtSQL: 2012-11-20 00:27; wrc@avast.com; c:\programmi\AVAST Software\Avast\WebRep\FF
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
HKLM-Run-ROC_ROC_NT - c:\programmi\AVG Secure Search\ROC_ROC_NT.exe
HKLM-Run-ZoneAlarm Installer - c:\programmi\CheckPoint\Install\Launcher.exe
AddRemove-Age of Empires 2.0 - c:\programmi\Microsoft Games\Age of Empires II\UNINSTAL.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-25 19:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Ora fine scansione: 2012-11-25 19:07:40
ComboFix-quarantined-files.txt 2012-11-25 18:07
.
Pre-Run: 123.239.092.224 byte disponibili
Post-Run: 123.431.624.704 byte disponibili
.
- - End Of File - - 1361FD24A42CD8AD10F496C8B858F95F

Hello Paolo ,

from your latest log I see that Immunet appears still installed.
If so please uninstall it, then follow carefully these steps:

• On your clean computer open notepad
• Copy this code
  
  

  Killall::
  
  RegLock::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
  
  Reg::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
  @=-
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
  @=-

• Paste it into the notepad file
• Save the file as CFScript.txt and close it
• Copy CFScript.txt onto your USB drive
• Boot in Normal Mode your sick computer and disable all Antivirus and security programs
• Plug the USB drive into it
• Copy the CFScript.txt file on your desktop
• Drag CFScript.txt and drop it on the ComboFix icon
  
  
  
• When ComboFix asks for installing the Recovery Console, click on the No button to start the scan
• During the scan leave your sick computer alone and do not mouseclick combofix's window, it may cause it to stall
• If ComboFix asks to restart your computer, allow it to do so.
• When finished, it will produce and display a report. Close it.

When done, copy the C:\ComboFix.txt file from the sick computer to the USB Drive, and from your clean computer post its contents in your next reply.


Regards