Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ATAPI.SYS infected by Protector.c


  • This topic is locked This topic is locked
4 replies to this topic

#1 rimix2

rimix2

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 December 2009 - 06:54 PM

Hello all,
I'm a new user of this forum. I found here a strong technical background for the folks that help people in troubleshooting problems, and then I decided to search for some help here. The problem I'm having is similar to the one described in this thread:

http://www.bleepingcomputer.com/forums/t/276226/malware-attack-on-my-computer/

Basically ANTIVIR started to detect "protector.c" troyan in the atapi.sys system file 2 days ago. At the beginning I clicked on "deny access" causing a BSOD (solved it with a recovery). Now I'm stuck, since I'm simply clicking on "ignore" 3/4 times each windows boot.

Following that thread, I collected HJT + OTL + GMER logs following the same instructions, hope this might help the analysis. I appreciate any help for this issue.

Just one more comment: while scanning with OTL, ANTIVIR detected av_md.exe infected by some kind of backdoor (HareBot), never seen this infection before.

Thanks again
rik

----------- HJT LOGS --------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.18.25, on 06/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe
C:\Programmi\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\av_md.exe
C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\Programmi\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File

comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EDS] C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Programmi\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Programmi\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [IntelliPoint] "c:\Programmi\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\TEMP\~TM33.tmp
O4 - HKLM\..\Run: [av_md] C:\WINDOWS\system32\av_md.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [av_md] C:\Documents and Settings\riki\av_md.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: siszyd32.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth

Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFECF3DC-670B-4378-9A08-5308971ABD39}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir

Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir

Desktop\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner -

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Programmi\Samsung\Samsung Update

Plus\SLUBackgroundService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 6251 bytes


----------- OTL LOGS --------------

OTL logfile created on: 06/12/2009 23.21.42 - Run 1
OTL by OldTimer - Version 3.1.11.8 Folder = C:\Documents and Settings\riki\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000410 | Country: Italia | Language: ITA | Date Format: dd/MM/yyyy

1,99 Gb Total Physical Memory | 1,51 Gb Available Physical Memory | 75,84% Memory free
3,33 Gb Paging File | 2,92 Gb Available in Paging File | 87,77% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmi
Drive C: | 71,04 Gb Total Space | 13,00 Gb Free Space | 18,30% Space Free | Partition Type: NTFS
Drive D: | 72,00 Gb Total Space | 1,17 Gb Free Space | 1,63% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BARTOLINO
Current User Name: riki
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/06 23.07.03 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and

Settings\riki\Desktop\OTL.exe
PRC - [2009/12/05 23.05.09 | 00,027,477 | ---- | M] () -- C:\WINDOWS\system32\av_md.exe
PRC - [2009/10/17 18.41.37 | 00,289,072 | ---- | M] (BitTorrent, Inc.) -- C:\Programmi\uTorrent\uTorrent.exe
PRC - [2009/08/25 16.31.51 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Programmi\Avira\AntiVir

Desktop\avguard.exe
PRC - [2009/07/13 20.16.07 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Programmi\Avira\AntiVir

Desktop\sched.exe
PRC - [2009/05/28 17.43.32 | 01,468,296 | ---- | M] (Microsoft Corporation) -- C:\Programmi\Microsoft

IntelliPoint\ipoint.exe
PRC - [2009/05/28 17.43.30 | 00,448,392 | ---- | M] (Microsoft Corporation) -- c:\Programmi\Microsoft

IntelliPoint\dpupdchk.exe
PRC - [2009/03/02 12.08.52 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Programmi\Avira\AntiVir

Desktop\avgnt.exe
PRC - [2008/10/20 10.32.54 | 02,768,896 | ---- | M] () -- C:\Programmi\Samsung\Samsung Battery

Manager\BatteryManager.exe
PRC - [2008/10/06 18.07.26 | 00,679,936 | ---- | M] (SAMSUNG Electronics) -- C:\Programmi\Samsung\Easy

Display Manager\dmhkcore.exe
PRC - [2008/09/17 13.25.44 | 00,264,800 | ---- | M] (Broadcom Corporation.) --

C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2008/08/28 19.34.52 | 01,044,480 | ---- | M] (Synaptics, Inc.) --

C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/08/26 21.51.00 | 16,851,456 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/05/21 16.44.30 | 00,299,008 | ---- | M] (Samsung Electronics Co., Ltd.) --

C:\Programmi\Samsung\MagicKBD\PerformanceManager.exe
PRC - [2008/05/20 20.02.08 | 00,372,736 | ---- | M] (SAMSUNG Electronics Co., Ltd.) --

C:\Programmi\Samsung\MagicKBD\MagicKBD.exe
PRC - [2008/04/14 13.00.00 | 01,036,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 23.00.20 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2008/02/28 23.00.16 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/02/28 23.00.14 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/02/28 23.00.10 | 00,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2008/02/28 23.00.04 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2007/12/20 20.40.30 | 00,659,456 | ---- | M] (Samsung Electronics,.LTD) --

C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe


========== Modules (SafeList) ==========

MOD - [2009/12/06 23.07.03 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and

Settings\riki\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (aspnet_state)
SRV - [2009/08/25 16.31.51 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Programmi\Avira\AntiVir

Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/13 20.16.07 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Programmi\Avira\AntiVir

Desktop\sched.exe -- (AntiVirScheduler)
SRV - [2008/09/17 13.25.44 | 00,264,800 | ---- | M] (Broadcom Corporation.) --

C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2008/05/13 08.44.00 | 00,077,480 | ---- | M] () -- C:\Programmi\Samsung\Samsung Update

Plus\SLUBackgroundService.exe -- (Samsung Update Plus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1197045402-1507316635-2066526949-1005\SOFTWARE\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?br...N&bmod=SMSN
IE - HKU\S-1-5-21-1197045402-1507316635-2066526949-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search

Page = http://www.google.com
IE - HKU\S-1-5-21-1197045402-1507316635-2066526949-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page

= http://www.google.it/
IE - HKU\S-1-5-21-1197045402-1507316635-2066526949-1005\SOFTWARE\Microsoft\Internet

Explorer\Search,SearchAssistant = http://www.google.com/ie
IE -

HKU\S-1-5-21-1197045402-1507316635-2066526949-1005\S-1-5-21-1197045402-1507316635-2066526949-1005\Software\M

icrosoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.it"
FF - prefs.js..extensions.enabledItems: {403304EE-066A-4a2a-8F41-F12028480A0A}:1.8.51
FF - prefs.js..extensions.enabledItems: {c1dffba0-628e-11d9-9669-0800200c9a66}:3.5.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Programmi\Mozilla

Firefox\components [2009/12/03 00.36.03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Programmi\Mozilla Firefox\plugins

[2009/11/03 19.30.23 | 00,000,000 | ---D | M]

[2009/06/20 20.23.32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati

applicazioni\Mozilla\Extensions
[2009/12/06 15.38.47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati

applicazioni\Mozilla\Firefox\Profiles\a05t87qk.default\extensions
[2009/09/14 23.04.48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati

applicazioni\Mozilla\Firefox\Profiles\a05t87qk.default\extensions\{403304EE-066A-4a2a-8F41-F12028480A0A}
[2009/07/30 19.52.44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati

applicazioni\Mozilla\Firefox\Profiles\a05t87qk.default\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}
[2009/07/24 20.08.39 | 00,000,996 | ---- | M] () -- C:\Documents and Settings\riki\Dati

applicazioni\Mozilla\Firefox\Profiles\a05t87qk.default\searchplugins\mininova.xml
[2009/06/20 20.04.14 | 00,000,000 | ---D | M] -- C:\Programmi\Mozilla Firefox\extensions
[2009/07/29 21.05.07 | 00,001,412 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\demauro.xml
[2009/07/29 21.05.07 | 00,000,744 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\eBay-it.xml
[2009/07/29 21.05.07 | 00,001,182 | ---- | M] () -- C:\Programmi\Mozilla

Firefox\searchplugins\wikipedia-it.xml
[2009/07/29 21.05.07 | 00,000,649 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\yahoo-it.xml

O1 HOSTS File: (768 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Supporto di collegamento per Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Guida per l'accesso a Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File

comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [av_md] C:\WINDOWS\system32\av_md.exe ()
O4 - HKLM..\Run: [avgnt] C:\Programmi\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BatteryManager] C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe ()
O4 - HKLM..\Run: [DMHotKey] C:\Programmi\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)
O4 - HKLM..\Run: [EDS] C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] c:\Programmi\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MagicKeyboard] C:\Programmi\Samsung\MagicKBD\PreMKbd.exe ()
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [sysgif32] C:\WINDOWS\Temp\~TM33.tmp ()
O4 - HKU\S-1-5-21-1197045402-1507316635-2066526949-1005..\Run: [av_md] C:\Documents and

Settings\riki\av_md.exe File not found
O4 - Startup: C:\Documents and Settings\riki\Menu Avvio\Programmi\Esecuzione automatica\siszyd32.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 -

HKU\S-1-5-21-1197045402-1507316635-2066526949-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explor

er: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth

Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}

http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File

comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File

comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File

comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File

comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File

comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programmi\Windows

Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File

comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File

comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programmi\Windows

Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programmi\File

comuni\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Pagina iniziale corrente) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 16.07.23 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/02/12 16.06.42 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891947461378048)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/06 23.23.35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\riki\Desktop\gmer
[2009/12/06 23.18.00 | 00,000,000 | ---D | C] -- C:\Programmi\Trend Micro
[2009/12/06 23.06.58 | 00,537,088 | ---- | C] (OldTimer Tools) -- C:\Documents and

Settings\riki\Desktop\OTL.exe
[2009/12/06 22.21.55 | 00,201,288 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/12/06 22.21.55 | 00,117,024 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2009/12/06 22.21.55 | 00,079,304 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/12/06 22.21.55 | 00,040,488 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/12/06 22.21.55 | 00,035,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/12/06 22.21.55 | 00,033,800 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/12/06 13.32.41 | 00,000,000 | ---D | C] -- C:\Programmi\MSXML 4.0
[2009/12/01 22.25.36 | 00,000,000 | ---D | C] -- C:\Programmi\eMule
[2009/11/24 19.26.21 | 00,000,000 | ---D | C] -- C:\Programmi\Microsoft IntelliPoint
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/06 23.18.00 | 00,001,698 | ---- | M] () -- C:\Documents and Settings\riki\Desktop\HijackThis.lnk
[2009/12/06 23.07.03 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and

Settings\riki\Desktop\OTL.exe
[2009/12/06 22.41.53 | 00,148,768 | ---- | M] () -- C:\WINDOWS\System32\dllcache\atapi.sys
[2009/12/06 22.41.51 | 00,148,768 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2009/12/06 22.39.01 | 00,000,001 | ---- | M] () -- C:\Documents and

Settings\riki\oashdihasidhasuidhiasdhiashdiuasdhasd
[2009/12/06 22.38.23 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/06 22.38.19 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/06 22.38.17 | 21,374,44352 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/06 18.27.31 | 03,670,016 | -H-- | M] () -- C:\Documents and Settings\riki\NTUSER.DAT
[2009/12/06 18.27.31 | 00,000,194 | -HS- | M] () -- C:\Documents and Settings\riki\ntuser.ini
[2009/12/05 23.25.05 | 00,077,824 | ---- | M] () -- C:\Documents and Settings\riki\Impostazioni locali\Dati

applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/05 23.05.09 | 00,027,477 | ---- | M] () -- C:\WINDOWS\System32\av_md.exe
[2009/12/05 23.05.08 | 00,000,140 | ---- | M] () -- C:\WINDOWS\System32\fjhdyfhsn.bat
[2009/12/05 23.05.01 | 00,000,004 | ---- | M] () -- C:\Documents and Settings\riki\Dati

applicazioni\avdrn.dat
[2009/12/01 22.25.46 | 00,000,624 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\eMule.lnk
[2009/11/28 17.37.22 | 00,000,779 | ---- | M] () -- C:\Documents and Settings\riki\Desktop\World of

Warcraft.lnk
[2009/11/28 12.59.59 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/24 21.27.34 | 00,049,512 | ---- | M] () -- C:\Documents and Settings\riki\Impostazioni locali\Dati

applicazioni\GDIPFONTCACHEV1.DAT
[2009/11/24 19.31.18 | 00,210,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/24 19.23.28 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/06 23.23.36 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\riki\Desktop\gmer.exe
[2009/12/06 23.18.00 | 00,001,698 | ---- | C] () -- C:\Documents and Settings\riki\Desktop\HijackThis.lnk
[2009/12/06 22.21.55 | 00,148,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2009/12/06 13.30.37 | 00,148,768 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atapi.sys
[2009/12/06 13.26.38 | 00,000,001 | ---- | C] () -- C:\Documents and

Settings\riki\oashdihasidhasuidhiasdhiashdiuasdhasd
[2009/12/05 23.05.09 | 00,027,477 | ---- | C] () -- C:\WINDOWS\System32\av_md.exe
[2009/12/05 23.05.08 | 00,000,140 | ---- | C] () -- C:\WINDOWS\System32\fjhdyfhsn.bat
[2009/12/05 23.05.01 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\riki\Dati

applicazioni\avdrn.dat
[2009/12/01 22.25.46 | 00,000,624 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\eMule.lnk
[2009/09/01 19.18.00 | 00,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/06/21 21.00.08 | 00,077,824 | ---- | C] () -- C:\Documents and Settings\riki\Impostazioni locali\Dati

applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/20 11.00.47 | 00,001,520 | ---- | C] () -- C:\WINDOWS\System32\riki_KBD.ini
[2009/02/27 18.22.17 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/12 23.48.54 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/02/12 16.19.17 | 00,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2009/02/12 16.19.17 | 00,001,520 | ---- | C] () -- C:\WINDOWS\System32\Proprietario_KBD.ini
[2009/02/12 16.19.15 | 00,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2009/02/12 16.19.15 | 00,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2009/02/12 16.19.15 | 00,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2009/02/12 16.19.15 | 00,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2009/02/12 16.19.15 | 00,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2009/02/12 16.19.15 | 00,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2009/02/12 16.19.15 | 00,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2009/02/12 16.19.15 | 00,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2009/02/12 16.19.15 | 00,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2009/02/12 16.19.15 | 00,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2009/02/12 16.19.15 | 00,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2009/02/12 16.19.15 | 00,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2009/02/12 16.19.15 | 00,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2009/02/12 16.19.15 | 00,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2009/02/12 16.19.15 | 00,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2009/02/12 16.19.15 | 00,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2009/02/12 16.19.15 | 00,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2009/02/12 16.17.07 | 00,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2009/02/12 16.17.07 | 00,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2009/02/12 16.13.47 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/02/12 16.11.19 | 00,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2008/09/17 13.20.08 | 02,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2005/02/17 11.41.32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11.41.30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 12.56.00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/09/01 19.20.08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dati

applicazioni\DAEMON Tools Lite
[2009/02/12 16.14.28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dati applicazioni\WLAN
[2009/09/01 19.24.10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati applicazioni\DAEMON

Tools Lite
[2009/06/27 09.56.18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati

applicazioni\OpenOffice.org
[2009/07/10 06.41.36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati applicazioni\TeamViewer
[2009/12/06 23.28.49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\riki\Dati applicazioni\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2008/04/14 13.00.00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=BD5FEE908FDD9CB09AA3E78111AB1119

-- C:\WINDOWS\system32\eventlog.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
[2008/04/14 13.00.00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=BD5FEE908FDD9CB09AA3E78111AB1119

-- C:\WINDOWS\system32\dllcache\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2008/04/14 13.00.00 | 00,187,904 | ---- | M] (Microsoft Corporation) MD5=034B4B1E882563562B35E1FAB279DEDF

-- C:\WINDOWS\system32\scecli.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
[2008/04/14 13.00.00 | 00,187,904 | ---- | M] (Microsoft Corporation) MD5=034B4B1E882563562B35E1FAB279DEDF

-- C:\WINDOWS\system32\dllcache\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2008/04/14 13.00.00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=E1DACEE13CAF8E118416399ABD2A08D9

-- C:\WINDOWS\system32\netlogon.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
[2008/04/14 13.00.00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=E1DACEE13CAF8E118416399ABD2A08D9

-- C:\WINDOWS\system32\dllcache\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2009/12/06 22.41.53 | 00,148,768 | ---- | M] () MD5=A63D0D7159B8A2A72DF794DF3F53AD0A --

C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/06 22.41.51 | 00,148,768 | ---- | M] () MD5=A63D0D7159B8A2A72DF794DF3F53AD0A --

C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 13.00.00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674

-- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >
< End of report >

----------- OTL LOGS [EXTRA] --------------

OTL Extras logfile created on: 06/12/2009 23.21.42 - Run 1
OTL by OldTimer - Version 3.1.11.8 Folder = C:\Documents and Settings\riki\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000410 | Country: Italia | Language: ITA | Date Format: dd/MM/yyyy

1,99 Gb Total Physical Memory | 1,51 Gb Available Physical Memory | 75,84% Memory free
3,33 Gb Paging File | 2,92 Gb Available in Paging File | 87,77% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmi
Drive C: | 71,04 Gb Total Space | 13,00 Gb Free Space | 18,30% Space Free | Partition Type: NTFS
Drive D: | 72,00 Gb Total Space | 1,17 Gb Free Space | 1,63% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BARTOLINO
Current User Name: riki
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Programmi\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1197045402-1507316635-2066526949-1005\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Programmi\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Programmi\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Programmi\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Programmi\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue

"%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Programmi\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue

"%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Programmi\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Programmi\Internet Explorer\iexplore.exe"

(Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\A

uthorizedApplications\List]
"C:\Programmi\Windows Live\Messenger\wlcsdk.exe" = C:\Programmi\Windows

Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

\AuthorizedApplications\List]
"C:\Programmi\Internet Explorer\IEXPLORE.EXE" = C:\Programmi\Internet

Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice

Test -- (Microsoft Corporation)
"C:\Programmi\Windows Live\Messenger\wlcsdk.exe" = C:\Programmi\Windows

Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Programmi\uTorrent\uTorrent.exe" = C:\Programmi\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent,

Inc.)
"C:\Programmi\Skype\Phone\Skype.exe" = C:\Programmi\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype

Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution III
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Strumento di caricamento di Windows Live
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}" = Samsung Magic Doctor
"{350C9410-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{43A650AA-D1DC-4C52-8819-D7848B3A08DA}" = OpenOffice.org 3.1
"{49C77D21-F91F-4296-B7DF-19C5FF51AF4D}" = Windows Live Call
"{5AE2BE5E-930A-481C-817E-C373E8910C8A}" = Windows Live Messenger
"{5CBB720F-08E6-4043-B83F-76C277AF6DE7}" = Samsung Wallpaper
"{685707A4-911C-468D-BFC4-64A50E5E3A0C}" = Samsung Update Plus
"{6F695BCF-9BDC-48AB-8D46-D57CFAD7A248}" = Assistente per l'accesso a Windows Live
"{6F730513-8688-4C3C-90A3-6B9792CE2EF3}" = Samsung Battery Manager
"{71A51B59-E7D3-11DB-A386-005056C00008}" = Namuga 1.3M Webcam
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{8E106A57-A17E-431D-B48F-175E42EB9F74}" = imagine digital freedom - Samsung
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A7581D39-EA20-4883-A480-80C21047052B}" = Easy Network Manager
"{ABB14904-A11B-4F42-996C-80FD608A0F17}" = Samsung EDS
"{AC76BA86-7AD7-1040-7B44-A81200000003}" = Adobe Reader 8.1.2 - Italiano
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{BD723E53-A42C-4702-AA04-1D74A0311590}" = Magic Keyboard
"{E171E280-0BAE-4460-9F47-CA96D17828B6}" = Windows Live Essentials
"{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}" = Microsoft IntelliPoint 7.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4F41D14-E0DD-4FB4-AA09-A14225C769BD}" = Atheros WLAN Client
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"eMule" = eMule
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{685707A4-911C-468D-BFC4-64A50E5E3A0C}" = Samsung Update Plus
"Machinarium" = Machinarium
"Marvell Miniport Driver" = Marvell Miniport Driver
"Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
"Sam and Max - Season One" = Sam and Max - Season One 1.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeamViewer 4" = TeamViewer 4
"VLC media player" = VLC media player 1.0.2
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR gestione archivi
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1197045402-1507316635-2066526949-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta

ll]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 24/09/2009 16.23.10 | Computer Name = BARTOLINO | Source = Application Hang | ID = 1002
Description = Applicazione in stallo FlashPlayer.exe, versione 0.0.0.0, modulo in
stallo hungapp, versione 0.0.0.0, indirizzo stallo 0x00000000.

Error - 24/09/2009 16.23.14 | Computer Name = BARTOLINO | Source = Application Hang | ID = 1002
Description = Applicazione in stallo FlashPlayer.exe, versione 0.0.0.0, modulo in
stallo hungapp, versione 0.0.0.0, indirizzo stallo 0x00000000.

Error - 24/09/2009 16.40.04 | Computer Name = BARTOLINO | Source = Application Hang | ID = 1002
Description = Applicazione in stallo Adobe Flash CS4.exe, versione 10.0.0.544, modulo
in stallo hungapp, versione 0.0.0.0, indirizzo stallo 0x00000000.

Error - 07/10/2009 12.10.22 | Computer Name = BARTOLINO | Source = Application Error | ID = 1000
Description = Applicazione che ha provocato l'errore vlc.exe, versione 0.9.9.0,
modulo che ha provocato l'errore libvlccore.dll, versione 0.9.9.0, indirizzo errore
0x00074447.

Error - 09/10/2009 14.07.50 | Computer Name = BARTOLINO | Source = crypt32 | ID = 131080
Description = Impossibile eseguire il recupero con aggiornamento automatico del
numero di sequenza dell'elenco principale di altri produttori da:


a causa del seguente errore: The server name or address could not be resolved

Error - 14/10/2009 13.43.52 | Computer Name = BARTOLINO | Source = EventSystem | ID = 4609
Description = Il sistema di gestione degli eventi COM+ ha rilevato un codice restituito
non valido durante l'elaborazione interna. Valore HRESULT 80080005 nella riga 44
di d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Comunicare il problema
al Servizio Supporto Tecnico Clienti Microsof

Error - 14/10/2009 13.43.52 | Computer Name = BARTOLINO | Source = VSS | ID = 8193
Description = Errore del Servizio copia replicata del volume: errore inatteso durante
il richiamo della routine CoCreateInstance. hr = 0x80040206.

Error - 31/10/2009 6.54.12 | Computer Name = BARTOLINO | Source = MsiInstaller | ID = 1013
Description = Prodotto: Microsoft .NET Framework 2.0 Service Pack 2 -- Microsoft
.NET Framework 2.0 Service Pack 2 cannot be uninstalled because it will affect
other applications that are installed. For more information, see

http://go.microsoft.com/fwlink/?LinkId=91126.

Error - 10/11/2009 2.40.43 | Computer Name = BARTOLINO | Source = EventSystem | ID = 4609
Description = Il sistema di gestione degli eventi COM+ ha rilevato un codice restituito
non valido durante l'elaborazione interna. Valore HRESULT 80080005 nella riga 44
di d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Comunicare il problema
al Servizio Supporto Tecnico Clienti Microsof

Error - 10/11/2009 2.40.43 | Computer Name = BARTOLINO | Source = VSS | ID = 8193
Description = Errore del Servizio copia replicata del volume: errore inatteso durante
il richiamo della routine CoCreateInstance. hr = 0x80040206.

[ System Events ]
Error - 24/11/2009 16.10.47 | Computer Name = BARTOLINO | Source = NetBT | ID = 4307
Description = Inizializzazione non riuscita perché il trasporto non ha aperto gli
indirizzi iniziali.

Error - 25/11/2009 2.47.15 | Computer Name = BARTOLINO | Source = NetBT | ID = 4307
Description = Inizializzazione non riuscita perché il trasporto non ha aperto gli
indirizzi iniziali.

Error - 25/11/2009 14.49.15 | Computer Name = BARTOLINO | Source = W32Time | ID = 39452689
Description = Time providerNtpClient: si è verificato un errore durante la ricerca
DNS del peer configurato manualmente 'time.windows.com,0x1'. NtpClient ritenterà
la ricerca DNS fra 15 minuti. Errore Tentativo di operazione del socket verso un
host non raggiungibile. (0x80072751)

Error - 25/11/2009 14.49.15 | Computer Name = BARTOLINO | Source = W32Time | ID = 39452701
Description = Il time provider NtpClient è configurato per acquisire l'ora da una
o più origini dell'ora, ma nessuna origine dell'ora è accessibile attualmente e non
verrà eseguito alcun tentativo di contattare un'origine per 14 minuti. NtpClient
non dispone di alcuna origine di ora esatta.

Error - 28/11/2009 12.03.23 | Computer Name = BARTOLINO | Source = NetBT | ID = 4307
Description = Inizializzazione non riuscita perché il trasporto non ha aperto gli
indirizzi iniziali.

Error - 03/12/2009 20.10.05 | Computer Name = BARTOLINO | Source = NetBT | ID = 4307
Description = Inizializzazione non riuscita perché il trasporto non ha aperto gli
indirizzi iniziali.

Error - 04/12/2009 16.46.30 | Computer Name = BARTOLINO | Source = NetBT | ID = 4307
Description = Inizializzazione non riuscita perché il trasporto non ha aperto gli
indirizzi iniziali.

Error - 05/12/2009 12.59.27 | Computer Name = BARTOLINO | Source = NetBT | ID = 4307
Description = Inizializzazione non riuscita perché il trasporto non ha aperto gli
indirizzi iniziali.

Error - 05/12/2009 17.40.47 | Computer Name = BARTOLINO | Source = NetBT | ID = 4307
Description = Inizializzazione non riuscita perché il trasporto non ha aperto gli
indirizzi iniziali.

Error - 05/12/2009 19.10.28 | Computer Name = BARTOLINO | Source = Ftdisk | ID = 262189
Description = Impossibile caricare il driver dei dettagli arresto anomalo del sistema.


< End of report >

----------- GMER LOGS --------------

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-07 00:49:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\riki\IMPOST~1\Temp\uwtcipow.sys


---- System - GMER 1.0.15 ----

SSDT A905EB43

ZwDeleteKey
SSDT A905EB4D

ZwDeleteValueKey
SSDT spjj.sys

ZwEnumerateKey [0xF74F4CA4]
SSDT spjj.sys

ZwEnumerateValueKey [0xF74F5032]
SSDT A905EB52

ZwLoadKey
SSDT spjj.sys

ZwOpenKey [0xF74D60C0]
SSDT spjj.sys

ZwQueryKey [0xF74F510A]
SSDT spjj.sys

ZwQueryValueKey [0xF74F4F8A]
SSDT A905EB5C

ZwReplaceKey
SSDT A905EB57

ZwRestoreKey

INT 0x63 ?

899DEF00
INT 0x73 ?

899DEF00
INT 0x94 ?

899DEF00
INT 0xB4 ?

899DEF00

---- Kernel code sections - GMER 1.0.15 ----

? spjj.sys

Impossibile trovare il file specificato. !
.text USBPORT.SYS!DllUnload

B98F98AC 5 Bytes JMP 899DE4E0

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1912] ntdll.dll!NtQueryDirectoryFile + 6

7C91D774 4 Bytes [90, 61, 36, 02]
? C:\WINDOWS\System32\svchost.exe[2228]

image checksum mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[2480]

image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

unknown module: DNSAPI.dllunknown module: gdiplus.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint]

89B952D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice]

[F7507C4C] spjj.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack]

[F7507CA0] spjj.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint]

899DE5E0
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]

[F74E6E9C] spjj.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegQueryValueExW] 64C03356
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetSecurityDescriptorDacl] 000030A1
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetEntriesInAclW] 0C408B00
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetSecurityDescriptorGroup] AD1C708B
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetSecurityDescriptorOwner] 5E08408B
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!InitializeSecurityDescriptor] CCCCCCC3
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!GetTokenInformation] CCCCCCCC
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!OpenProcessToken] CCCCCCCC
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!OpenThreadToken] 53EC8B55
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetServiceStatus] 558B5756
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegisterServiceCtrlHandlerW] 8BDA8B08
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegCloseKey] FA033C7A
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegOpenKeyExW] 503F8166
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!StartServiceCtrlDispatcherW] 03547545
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!WideCharToMultiByte] FCFA03F2
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrlenW] 0C6D8B55
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LocalFree] 96C203AD
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentProcess] 3351FD87
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentThread] 0FC180C9
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetProcAddress] 0C72A6F3
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LoadLibraryExW] FD875996
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LCMapStringW] 8166EEC5
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!FreeLibrary] 2BEEB6EE
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrcpyW] EBFE2BF1
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!ExpandEnvironmentStringsW] 66C033E3
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrcmpiW] E0C1078B
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!ExitProcess] 1C738B02
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCommandLineW] F003F203
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!InitializeCriticalSection] 5DC203AD
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetProcessHeap] 5D5B5E5F
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!SetErrorMode] CCCCCCC3
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!SetUnhandledExceptionFilter] CCCCCCCC
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!RegisterWaitForSingleObject] CCCCCCCC
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!InterlockedCompareExchange] CCCCCCCC
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LoadLibraryA] 83EC8B55
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!QueryPerformanceCounter] 60A134EC
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetTickCount] 53700062
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentThreadId] 45895756
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentProcessId] FF4AE8FC
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetSystemTimeAsFileTime] 2C68FFFF
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!TerminateProcess] 50700051
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!UnhandledExceptionFilter] E8E44589
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LocalAlloc] FFFFFF5C
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrcmpW] 51200D8B
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!DelayLoadFailureHook] 158B7000
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!NtQuerySecurityObject] A1DC4589
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlFreeHeap] [7000511C] C:\WINDOWS\System32\svchost.exe (Generic Host

Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!NtOpenKey] A0EC4589
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat]

[70005128] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32

Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy]

8908C483
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlAllocateHeap] 5589F04D
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlCompareUnicodeString] F84588F4
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlInitUnicodeString] 50EC458D
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlInitializeSid] 50E4458B
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlLengthRequiredSid] 89DC55FF
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlSubAuthoritySid] 558BCC45
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose]

3C4A8B08
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlSubAuthorityCountSid] 80118C8B
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlGetDaclSecurityDescriptor] 03000000
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlQueryInformationAcl] 04418BCA
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlGetAce] 4D89C085
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlImageNtHeader] 8B0B75E0
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen]

C0850C41
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlUnhandledExceptionFilter] 00A2840F
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlCopySid] 018B0000
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerUnregisterIfEx] C203103C
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcMgmtWaitServerListen] FF85F203
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcMgmtSetServerStackSize] 89D44589
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerUnregisterIf] 840FE475
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerListen] 00000080
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerUseProtseqEpW] 83FFCE83
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerRegisterIf] FF85FFCB
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!I_RpcMapWin32Status] F78B0A79
IAT C:\WINDOWS\System32\svchost.exe[2228] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcMgmtStopServerListening] FFFFE681
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegQueryValueExW] [77F4F00C] C:\WINDOWS\system32\ADVAPI32.dll (API Windows 32

Base avanzato/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetSecurityDescriptorDacl] [77F6C238] C:\WINDOWS\system32\ADVAPI32.dll (API Windows 32

Base avanzato/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetEntriesInAclW] [77F4798B] C:\WINDOWS\system32\ADVAPI32.dll (API Windows 32

Base avanzato/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetSecurityDescriptorGroup] [77F46C27] C:\WINDOWS\system32\ADVAPI32.dll (API Windows 32

Base avanzato/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetSecurityDescriptorOwner] [77F47ABB] C:\WINDOWS\system32\ADVAPI32.dll (API Windows 32

Base avanzato/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!InitializeSecurityDescriptor] [77F47852] C:\WINDOWS\system32\ADVAPI32.dll (API Windows 32

Base avanzato/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!GetTokenInformation] [77F4EAE7] C:\WINDOWS\system32\ADVAPI32.dll (API Windows 32

Base avanzato/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!OpenProcessToken] 00000000
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!OpenThreadToken] [76EF689B] C:\WINDOWS\System32\DNSAPI.dll (DNS Client API

DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!SetServiceStatus] [76EF4C42] C:\WINDOWS\System32\DNSAPI.dll (DNS Client API

DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegisterServiceCtrlHandlerW] [76EE5AD3] C:\WINDOWS\System32\DNSAPI.dll (DNS Client API

DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegCloseKey] 00000000
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!RegOpenKeyExW] [77E4EF1C] C:\WINDOWS\system32\GDI32.dll (GDI Client

DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ADVAPI32.dll!StartServiceCtrlDispatcherW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!WideCharToMultiByte] [7C80A530] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrlenW] [7C838A3C] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LocalFree] [7C80D302] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentProcess] [7C801D7B] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentThread] [7C80BE56] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetProcAddress] [7C812FBD] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LoadLibraryExW] [7C81127A] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LCMapStringW] [7C80E9DF] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!FreeLibrary] [7C809BE7] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrcpyW] [7C80EABB] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!ExpandEnvironmentStringsW] [7C81CB12] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrcmpiW] [7C80C0F8] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!ExitProcess] [7C81CB3B] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCommandLineW] [7C82FC08] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!InitializeCriticalSection] [7C830D7C] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetProcessHeap] [7C809AA9] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!SetErrorMode] [7C809EA1] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!SetUnhandledExceptionFilter] [7C80BB41] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!RegisterWaitForSingleObject] [7C91FE21] C:\WINDOWS\system32\ntdll.dll (DLL del livello

NT/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!InterlockedCompareExchange] [7C80934A] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LoadLibraryA] [7C80AC61] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!QueryPerformanceCounter] [7C812C56] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetTickCount] [7C9200C4] C:\WINDOWS\system32\ntdll.dll (DLL del livello

NT/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentThreadId] [7C929BA0] C:\WINDOWS\system32\ntdll.dll (DLL del livello

NT/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetCurrentProcessId] [7C91FF2D] C:\WINDOWS\system32\ntdll.dll (DLL del livello

NT/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!GetSystemTimeAsFileTime] [7C809F19] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!TerminateProcess] [7C8024B7] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!UnhandledExceptionFilter] [7C809B12] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!LocalAlloc] [7C8309E9] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!lstrcmpW] [7C8650C8] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[KERNEL32.dll!DelayLoadFailureHook] [7C865C7F] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!NtQuerySecurityObject] [7C802213] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlFreeHeap] [7C801E1A] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!NtOpenKey] [7C80236B] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat]

[7C834D71] C:\WINDOWS\system32\kernel32.dll (DLL client di Windows NT BASE

API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy]

[7C814B92] C:\WINDOWS\system32\kernel32.dll (DLL client di Windows NT BASE

API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlAllocateHeap] [7C801A28] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlCompareUnicodeString] [7C810BBC] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlInitUnicodeString] [7C8350EF] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlInitializeSid] [7C80BEA1] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlLengthRequiredSid] [7C814F8A] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlSubAuthoritySid] [7C80176F] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose]

[7C80A4C7] C:\WINDOWS\system32\kernel32.dll (DLL client di Windows NT BASE

API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlSubAuthorityCountSid] [7C801812] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlGetDaclSecurityDescriptor] [7C810B17] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlQueryInformationAcl] [7C831EDD] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlGetAce] [7C810E27] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlImageNtHeader] [7C80AA6C] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen]

[7C80FCCF] C:\WINDOWS\system32\kernel32.dll (DLL client di Windows NT BASE

API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlUnhandledExceptionFilter] [7C80FDCD] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[ntdll.dll!RtlCopySid] [7C809C98] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerUnregisterIfEx] [7C8099B5] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcMgmtWaitServerListen] [7C812F16] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcMgmtSetServerStackSize] [7C93ABC5] C:\WINDOWS\system32\ntdll.dll (DLL del livello

NT/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerUnregisterIf] [7C809AF1] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerListen] [7C809B84] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerUseProtseqEpW] [7C80B56F] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcServerRegisterIf] [7C812FD9] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!I_RpcMapWin32Status] [7C809F91] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2480] @ C:\WINDOWS\System32\svchost.exe

[RPCRT4.dll!RpcMgmtStopServerListening] [7C80981A] C:\WINDOWS\system32\kernel32.dll (DLL client di

Windows NT BASE API/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs

89B921F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CFECF3DC-670B-4378-9A08-5308971ABD39}

894CF1F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0

SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbehci \Device\USBPDO-0

899D51F8
Device \Driver\usbuhci \Device\USBPDO-1

899DB500
Device \Driver\usbuhci \Device\USBPDO-2

899DB500
Device \Driver\usbuhci \Device\USBPDO-3

899DB500
Device \Driver\usbuhci \Device\USBPDO-4

899DB500
Device \Driver\Ftdisk \Device\HarddiskVolume1

89C041F8
Device \Driver\Ftdisk \Device\HarddiskVolume2

89C041F8
Device \Driver\Ftdisk \Device\HarddiskVolume3

89C041F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3

89B931F8
Device \Driver\atapi \Device\Ide\IdePort0

89B931F8
Device \Driver\NetBT \Device\NetBt_Wins_Export

894CF1F8
Device \Driver\NetBT \Device\NetbiosSmb

894CF1F8
Device \Driver\usbuhci \Device\USBFDO-0

899DB500
Device \Driver\usbuhci \Device\USBFDO-1

899DB500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver

899ED1F8
Device \Driver\usbuhci \Device\USBFDO-2

899DB500
Device \FileSystem\MRxSmb \Device\LanmanRedirector

899ED1F8
Device \Driver\usbuhci \Device\USBFDO-3

899DB500
Device \Driver\usbehci \Device\USBFDO-4

899D51F8
Device \Driver\Ftdisk \Device\FtControl

89C041F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1

771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2

285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0

1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC


Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0

0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12

0xD6 0xD9 0x89 0x7C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active

ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0

0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12

0xD6 0xD9 0x89 0x7C ...

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 rimix2

rimix2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 07 December 2009 - 07:42 AM

Hi again
I saw that the linked thread (http://www.bleepingcomputer.com/forums/topic276226.html) was closed successfully with the help of Buckeye_Sam - and some kind of operation with "The Avenger".
Since I'm not expert with "The Avenger" procedures, I would need to know whether the instructions given in the above thread are OK also in my case (and maybe an hint on the "av_md.exe" stuff).

Thanks!!
rik

QUICK EDIT --> the suggestion given in the above thread (move atapi.sys to one folder to another one with avenger) seems not to be applicable in my case, since it seems that I do not have the source folder (...\Windows\Servicepackfiles\...)

Edited by rimix2, 07 December 2009 - 10:47 AM.


#3 rimix2

rimix2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 07 December 2009 - 10:51 AM

Hi again
I've also run DDS and RootRepeal, I'm attaching the logs here, hope it might help further
thx
rik

Attached Files


Edited by rimix2, 07 December 2009 - 11:10 AM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 19 December 2009 - 09:04 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 24 December 2009 - 12:13 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users