Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zonealarm detect Infection Packed.Win32.TDSS.z


  • This topic is locked This topic is locked
15 replies to this topic

#1 sao

sao

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 18 December 2009 - 07:59 AM

Launching RootRepeal i got several msgs "Could not read the boot sector. Try adjusting......"
Level it was already highest.
Nero 9 - no option to select drives for burning
i tried to run gmer but i don't know if it was my fault system stuck and i lost datas of my profile
that's why i recently created a new one
sometimes i got a blue screen with a general error msg but i usually can log on Xp launching again OS
Thanks in advance 4 your help !
Adri

**********************************************


DDS (Ver_09-12-01.01) - NTFSx86
Run by angel at 10.22.17,40 on 18/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.510.255 [GMT 1:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Programmi\Photodex\ProShowGold\ScsiAccess.exe
svchost.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\stsystra.exe
D:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe
D:\Programmi\D-Link\AirPlus G\AirGCFG.exe
D:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
D:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\Mozilla Firefox\firefox.exe
D:\Documents and Settings\lucifero\Desktop\TMP\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = "d:\programmi\outlook express\msimn.exe"
mWinlogon: Userinit=d:\windows\system32\userinit.exe,d:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TLightFrameIECOM Class: {20a66f2f-31ce-11d5-8bf7-0090cc12d082} - d:\windows\system32\LightFrameIECOM.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\programmi\java\jre1.5.0_16\bin\ssv.dll
BHO: {9AA2F14F-E956-44B8-8694-A5B615CDF341} - No File
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - d:\programmi\babylon\babylon-pro\utils\BabylonIEPI.dll
uRun: [CTFMON.EXE] d:\windows\system32\ctfmon.exe
mRun: [ehTray] d:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "d:\programmi\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [D-Link AirPlus G] d:\programmi\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] d:\programmi\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [AdobeCS4ServiceManager] "d:\programmi\file comuni\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "d:\programmi\zone labs\zonealarm\zlclient.exe"
mRun: [Regeditsystem] d:\windows\system32\regeditsystem\Regeditsystem.exe
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
mExplorerRun: [Regeditsystem] d:\windows\system32\regeditsystem\Regeditsystem.exe
StartupFolder: d:\docume~1\angel\menuav~1\progra~1\esecuz~1\window~1.lnk - d:\docume~1\lucifero\impost~1\temp\JMstart.exe
StartupFolder: d:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - d:\programmi\microsoft office\office10\OSA.EXE
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&sporta in Microsoft Excel - d:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Translate this web page with Babylon - d:\programmi\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\programmi\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://d:\programmi\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\programmi\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC} - d:\programmi\java\jre1.5.0_16\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220791485359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - d:\programmi\file comuni\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: xxop81 - xxop81.dll
mASetup: {QJ60TOP1-7350-D21V-UGW3-4U07F5DB5S5O} - d:\windows\system32\regeditsystem\Regeditsystem.exe

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\angel\datiap~1\mozilla\firefox\profiles\h9fddz6z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - plugin: d:\documents and settings\angel\dati applicazioni\mozilla\plugins\npPxPlay.dll
FF - plugin: d:\programmi\google\google earth\plugin\npgeplugin.dll
FF - plugin: d:\programmi\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\programmi\java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: d:\programmi\java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: d:\programmi\java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: d:\programmi\java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: d:\programmi\java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: d:\programmi\java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: d:\programmi\java\jre1.5.0_16\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
d:\programmi\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;d:\windows\system32\drivers\kl1.sys [2009-11-10 128016]
R1 KLIF;Kaspersky Lab Driver;d:\windows\system32\drivers\klif.sys [2009-11-10 317072]
R1 vsdatant;vsdatant;d:\windows\system32\vsdatant.sys [2009-11-10 486280]
R2 McrdSvc;Media Center Extender Service;d:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]
R2 vsmon;TrueVector Internet Monitor;d:\windows\system32\zonelabs\vsmon.exe -service --> d:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 msdvdr;MSDV Driver;d:\windows\system32\msdvdr.pif --> d:\windows\system32\msdvdr.pif [?]
S2 xzrvcl;Monitor Universal;d:\windows\system32\svchost.exe -k netsvcs [2004-9-7 14336]
S3 ACSSCR;ACR38 Smart Card Reader;d:\windows\system32\drivers\a38usbxp.sys [2008-6-25 24832]
S3 gupdate;Servizio di Google Update (gupdate);d:\programmi\google\update\GoogleUpdate.exe [2009-10-2 133104]

=============== Created Last 30 ================

2009-12-16 18:55:26 682 ----a-w- d:\documents and settings\angel\plugin131_13.trace
2009-12-16 17:11:07 0 d--h--w- d:\documents and settings\angel\Risorse di rete
2009-12-16 17:11:02 0 d--h--w- d:\documents and settings\angel\Modelli
2009-12-16 17:11:02 0 d-----r- d:\documents and settings\angel\Preferiti
2009-12-16 17:11:01 0 d--h--w- d:\documents and settings\angel\InstallAnywhere
2009-12-16 17:11:01 0 d-----r- d:\documents and settings\angel\Menu Avvio
2009-12-16 16:56:41 460 ----a-w- d:\documents and settings\angel\6D73776D706461742E746C62FA.tmp
2009-12-16 16:56:41 377344 --sha-w- d:\documents and settings\angel\ehthumbs.db
2009-12-16 16:56:41 0 d-sh--w- d:\documents and settings\angel\UserData
2009-12-16 16:56:41 0 d-----w- d:\documents and settings\angel\WINDOWS
2009-12-16 16:56:40 178 ----a-w- d:\documents and settings\angel\ruboutts
2009-12-16 16:56:40 0 d--h--w- d:\documents and settings\angel\Risorse di stampa
2009-12-16 16:34:09 0 d--h--w- d:\documents and settings\angel\Impostazioni locali
2009-12-16 16:29:27 1579 ----a-w- d:\documents and settings\angel\default.pls
2009-12-16 16:29:27 0 d-----r- d:\documents and settings\angel\Documenti
2009-12-16 16:25:39 0 d-----w- d:\docume~1\angel\datiap~1\Colasoft Packet Builder
2009-12-16 16:25:39 0 d-----w- d:\docume~1\angel\datiap~1\Babylon
2009-12-16 16:24:37 0 d-----w- d:\docume~1\angel\datiap~1\Photodex
2009-12-16 16:24:37 0 d-----w- d:\docume~1\angel\datiap~1\PDFCreator
2009-12-16 16:24:33 0 d-----w- d:\docume~1\angel\datiap~1\SlipStream
2009-12-16 16:24:29 175104 ----a-w- d:\docume~1\angel\datiap~1\SQLite3.dll
2009-12-16 16:24:29 0 d-----w- d:\docume~1\angel\datiap~1\uTorrent
2009-12-16 16:22:14 23624 ----a-w- d:\docume~1\angel\datiap~1\GDIPFONTCACHEV1.DAT
2009-12-16 16:22:14 217699 ---ha-w- d:\docume~1\angel\datiap~1\logs.dat
2009-12-16 16:22:14 0 d--h--r- d:\documents and settings\angel\Dati applicazioni
2009-12-16 11:12:23 306 --sh--w- d:\documents and settings\angel\ntuser.ini
2009-12-12 13:30:21 0 d--h--w- d:\windows\PIF
2009-12-10 22:00:29 0 d-----w- d:\windows\system32\LogFiles
2009-12-10 21:43:09 4624 ----a-w- d:\windows\system32\xxop81.dll
2009-12-01 09:02:28 69 ----a-w- d:\windows\NeroDigital.ini
2009-11-30 18:13:04 0 d-----w- d:\programmi\Nero
2009-11-30 18:12:33 0 d-----w- d:\docume~1\alluse~1\datiap~1\Nero
2009-11-30 17:47:41 896 ----a-w- d:\windows\CTREBOOT.INI

==================== Find3M ====================

2009-12-18 09:22:34 4212 ---ha-w- d:\windows\system32\zllictbl.dat
2009-12-14 17:34:44 83934 ----a-w- d:\windows\system32\perfc010.dat
2009-12-14 17:34:44 489038 ----a-w- d:\windows\system32\perfh010.dat
2009-10-17 00:39:40 72584 ----a-w- d:\windows\zllsputility.exe
2009-10-17 00:39:32 1238408 ----a-w- d:\windows\system32\zpeng25.dll
2008-09-08 16:28:37 32768 --sha-w- d:\windows\system32\config\systemprofile\impostazioni locali\cronologia\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 10.24.44,90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 18 December 2009 - 08:37 AM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 sao

sao
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 19 December 2009 - 10:02 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully

10KU
A

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 19 December 2009 - 10:50 AM

Doesn't look good at all :(

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.



Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running our fixes.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download this program by sUBs and save it to your Desktop. Then after you disable all security programs, simply run it (double-click it)

If the program asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while the program is running.. Just let it finishes..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 sao

sao
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 20 December 2009 - 04:14 PM

Hi

Run Defogger no problem actually it didn't ask me to reboot..anyway i reboot
Performed the_comedian with no problem
KittyFIx installed recovery program but it couldn't create a new restore point
it stuck asking me to shutdown zonealarm(still active) but before i have uncheck option load ZA security suite at startup
and rebooting, zlclient was not up so i don't know what to do
i didn't find any advice in topic114351.html
after that i didn't reboot and typing is very slow now in this box ? no idea why!?
hope i didn't damage anything
......to be continued...i hope...
A.

defogger_disable by jpshortstuff (28.11.09.2)
Log created at 21:23 on 20/12/2009 (angel)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 21 December 2009 - 06:12 AM

Reboot and do below..

1. Remove KittyFix from your computer
2. Read and understand the instruction of below link carefully >> disable all your antivirus/firewall (this is super important) >> download and run ComboFix >> post the log here :(

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 sao

sao
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 22 December 2009 - 09:57 AM

Sorry

but as i don't find any process of my zonealrm running after i shutdown it
and kittyFix alerted me that actually it was up
i wonder if it is risky to try again and run combofix before to definitily uninstall zonealarm ?

?Thanks
A.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 23 December 2009 - 06:12 AM

Ok, first, delete KittyFix.. Its outdated already..

second, uninstall ZoneAlarm first.. You may reinstall it after we finish..

third, refer below link.. read it carefully, then download and run ComboFix.. After that, post the log here :(

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 sao

sao
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 25 December 2009 - 06:17 AM

Fantastis Merry Xmas...thanks a lot !
Adri

ComboFix 09-12-20.04 - angel 25/12/2009 10.00.56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.510.329 [GMT 1:00]
Eseguito da: d:\documents and settings\angel\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\angel\Dati applicazioni\logs.dat
d:\recycler\S-1-5-21-1177238915-1958367476-1417001333-1003
d:\recycler\S-1-5-21-725345543-1993962763-839522115-1003
d:\windows\AUTOLNCH.REG
d:\windows\msa.exe
d:\windows\system32\18467.exe
d:\windows\system32\41.exe
d:\windows\system32\AVR09.exe
d:\windows\system32\drivers\gasfkyusoypylv.sys
d:\windows\system32\gasfkybwwkpaln.dll
d:\windows\system32\gasfkyevfipmba.dat
d:\windows\system32\gasfkylog.dat
d:\windows\system32\gasfkynspibmnw.dll
d:\windows\system32\gasfkyowxrbfwi.dat
d:\windows\system32\gasfkypbspxtfq.dll
d:\windows\system32\gasfkyxrfobygp.dll
d:\windows\system32\lowsec
d:\windows\system32\lowsec\local.ds
d:\windows\system32\lowsec\user.ds
d:\windows\system32\lowsec\user.ds.lll
d:\windows\system32\mswmpdat.tlb
d:\windows\system32\winhelper.dll
d:\windows\system32\wmcache.nld
d:\windows\system32\xxop81.dll
d:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
d:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyftitlexe
-------\Legacy_gasfkyftitlexe
-------\Legacy_MSDVDR
-------\Service_msdvdr
-------\Service_RDPWD
-------\Service_TDTCP


((((((((((((((((((((((((( Files Creati Da 2009-11-25 al 2009-12-25 )))))))))))))))))))))))))))))))))))
.

2009-12-20 20:36 . 2009-12-20 20:36 -------- d-----w- d:\programmi\ERUNT
2009-12-19 16:00 . 2009-12-20 09:16 -------- d-----w- d:\windows\system32\FxsTmp
2009-12-19 15:59 . 2004-09-07 12:00 31744 -c--a-w- d:\windows\system32\dllcache\fxsroute.dll
2009-12-19 15:59 . 2004-09-07 12:00 31744 ----a-w- d:\windows\system32\fxsroute.dll
2009-12-19 15:59 . 2004-09-07 12:00 138240 -c--a-w- d:\windows\system32\dllcache\fxsclntr.dll
2009-12-19 15:59 . 2004-09-07 12:00 138240 ----a-w- d:\windows\system32\fxsclntR.dll
2009-12-19 15:59 . 2004-09-07 12:00 11264 -c--a-w- d:\windows\system32\dllcache\fxssend.exe
2009-12-19 15:59 . 2004-09-07 12:00 11264 ----a-w- d:\windows\system32\fxssend.exe
2009-12-19 15:59 . 2004-09-07 12:00 112128 -c--a-w- d:\windows\system32\dllcache\fxscfgwz.dll
2009-12-19 15:59 . 2004-09-07 12:00 112128 ----a-w- d:\windows\system32\fxscfgwz.dll
2009-12-17 09:01 . 2009-12-17 09:01 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Babylon
2009-12-16 17:11 . 2009-12-16 17:11 -------- d--h--w- d:\documents and settings\angel\Risorse di rete
2009-12-16 17:11 . 2009-12-16 17:11 -------- d-----r- d:\documents and settings\angel\Preferiti
2009-12-16 17:11 . 2009-12-16 17:11 -------- d--h--w- d:\documents and settings\angel\Modelli
2009-12-16 17:11 . 2009-12-16 17:11 -------- d--h--w- d:\documents and settings\angel\InstallAnywhere
2009-12-16 17:11 . 2009-12-16 17:11 -------- d-----r- d:\documents and settings\angel\Menu Avvio
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Adobe
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Ahead
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\ApplicationHistory
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Downloaded Installations
2009-12-16 17:09 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Google
2009-12-16 17:09 . 2009-12-16 17:09 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Help
2009-12-16 17:08 . 2009-12-16 20:12 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Identities
2009-12-16 17:06 . 2009-12-22 08:25 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Microsoft
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Mozilla
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\PowerDVD
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Nero
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Temp
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Sun
2009-12-16 17:04 . 2009-11-18 16:58 23624 ----a-w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-16 17:04 . 2007-04-06 19:30 137 ----a-w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\fusioncache.dat
2009-12-16 16:56 . 2009-12-16 16:56 -------- d-sh--w- d:\documents and settings\angel\UserData
2009-12-16 16:56 . 2009-12-16 16:56 -------- d-----w- d:\documents and settings\angel\WINDOWS
2009-12-16 16:56 . 2009-12-16 16:56 -------- d--h--w- d:\documents and settings\angel\Risorse di stampa
2009-12-16 16:34 . 2009-12-25 09:09 -------- d--h--w- d:\documents and settings\angel\Impostazioni locali
2009-12-16 16:29 . 2009-12-19 16:07 -------- d-----r- d:\documents and settings\angel\Documenti
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Nero
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Photodex
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\PDFCreator
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Netscape
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Skype
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\skypePM
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\SlipStream
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\SlySoft
2009-12-16 16:24 . 2009-12-18 14:09 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\uTorrent
2009-12-16 16:22 . 2009-12-25 09:09 -------- d--h--r- d:\documents and settings\angel\Dati applicazioni
2009-12-16 11:12 . 2009-12-20 20:23 -------- d-----w- d:\documents and settings\angel
2009-12-12 13:30 . 2009-12-12 13:30 -------- d--h--w- d:\windows\PIF
2009-12-10 22:00 . 2009-12-10 22:00 -------- d-----w- d:\windows\system32\LogFiles
2009-11-30 18:13 . 2009-11-30 18:24 -------- d-----w- d:\programmi\Nero
2009-11-30 18:12 . 2009-11-30 18:25 -------- d-----w- d:\programmi\File comuni\Nero
2009-11-30 18:12 . 2009-11-30 18:16 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 18:13 . 2009-08-08 14:16 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\FLEXnet
2009-12-24 16:21 . 2008-12-28 08:35 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Babylon
2009-12-24 11:43 . 2007-04-23 21:53 4212 ---ha-w- d:\windows\system32\zllictbl.dat
2009-12-22 15:37 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Babylon
2009-12-19 16:00 . 2004-09-07 12:00 84650 ----a-w- d:\windows\system32\perfc010.dat
2009-12-19 16:00 . 2004-09-07 12:00 490288 ----a-w- d:\windows\system32\perfh010.dat
2009-12-17 22:27 . 2009-10-27 09:03 189296 ----a-w- d:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2009-12-17 10:53 . 2007-04-07 08:26 -------- d-----w- d:\programmi\FaxTalk Communicator
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\AdobeUM
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Ahead
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\CyberLink
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Colasoft Packet Builder
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Download Manager
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Media Player Classic
2009-12-15 19:37 . 2009-10-07 19:18 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Thought Communications
2009-11-30 17:48 . 2007-05-03 18:05 -------- d-----w- d:\programmi\File comuni\Ahead
2009-11-24 15:34 . 2009-12-16 16:24 175104 ----a-w- d:\documents and settings\angel\Dati applicazioni\SQLite3.dll
2009-11-20 08:27 . 2009-08-17 12:32 -------- d-----w- d:\programmi\Google
2009-11-19 21:54 . 2007-04-13 17:15 -------- d-----w- d:\programmi\File comuni\Adobe
2009-11-15 14:13 . 2009-11-11 08:31 -------- d-----w- d:\programmi\FreePOPs
2009-11-12 21:05 . 2009-11-12 21:05 -------- d-----w- d:\programmi\Photodex Presenter
2009-11-12 21:04 . 2009-08-06 16:31 -------- d-----w- d:\programmi\Photodex
2009-10-27 09:02 . 2009-10-27 09:02 -------- d-----w- d:\programmi\MSBuild
2009-10-27 09:02 . 2009-10-27 09:02 -------- d-----w- d:\programmi\Reference Assemblies
2009-10-27 08:40 . 2009-10-27 08:40 -------- d-----w- d:\programmi\File comuni\Macrovision Shared
2009-10-21 14:05 . 2009-10-21 14:05 56 ---ha-w- d:\windows\system32\ezsidmv.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="d:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"DVDLauncher"="d:\programmi\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"D-Link AirPlus G"="d:\programmi\D-Link\AirPlus G\AirGCFG.exe" [2006-11-17 1552384]
"ANIWZCS2Service"="d:\programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152]
"AdobeCS4ServiceManager"="d:\programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

d:\documents and settings\angel\Menu Avvio\Programmi\Esecuzione automatica\
ERUNT AutoBackup.lnk - d:\programmi\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Microsoft Office.lnk - d:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^LightFrame 2.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AuthentIC Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Certificate Synchronizer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-08-03 14:37 3711376 ----a-w- d:\programmi\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 17:14 1695232 ------w- d:\programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-05-28 01:18 75256 ----a-w- d:\programmi\Java\jre1.5.0_16\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-12-16 16:07 289072 ----a-w- d:\programmi\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"OCSCryptolibService"=2 (0x2)
"wscsvc"=2 (0x2)
"gusvc"=2 (0x2)
"ehSched"=2 (0x2)
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Messenger\\msmsgs.exe"=
"d:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Programmi\\Skype\\Phone\\Skype.exe"=
"d:\\Programmi\\uTorrent\\uTorrent.exe"=
"d:\\Programmi\\File comuni\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Documents and Settings\\lucifero\\Desktop\\TMP\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S2 xzrvcl;Monitor Universal;d:\windows\system32\svchost.exe -k netsvcs [07/09/2004 13.00.00 14336]
S3 ACSSCR;ACR38 Smart Card Reader;d:\windows\system32\drivers\a38usbxp.sys [25/06/2008 19.04.35 24832]
S3 gupdate;Servizio di Google Update (gupdate);d:\programmi\Google\Update\GoogleUpdate.exe [02/10/2009 14.56.36 133104]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xzrvcl
.
------- Scansione supplementare -------
.
uInternet Connection Wizard,ShellNext = "d:\programmi\Outlook Express\msimn.exe"
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Translate this web page with Babylon - d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
FF - ProfilePath - d:\documents and settings\angel\Dati applicazioni\Mozilla\Firefox\Profiles\h9fddz6z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - plugin: d:\documents and settings\angel\Dati applicazioni\Mozilla\plugins\npPxPlay.dll
FF - plugin: d:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: d:\programmi\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPOJI610.dll
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-Regeditsystem - d:\windows\system32\Regeditsystem\Regeditsystem.exe
HKLM-Explorer_Run-Regeditsystem - d:\windows\system32\Regeditsystem\Regeditsystem.exe
Notify-xxop81 - xxop81.dll
MSConfigStartUp-CallControl 4 - d:\programmi\FAXTALK COMMUNICATOR\FTCtrl32.exe
MSConfigStartUp-FaxTalk Messenger Pro 7 - d:\programmi\FaxTalk Trial\FTClCtrl.exe
MSConfigStartUp-Regeditsystem - d:\windows\system32\Regeditsystem\Regeditsystem.exe
MSConfigStartUp-swg - d:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-winupdate - d:\windows\system32\winupdate.exe
MSConfigStartUp-ZagrebLand - d:\docume~1\angel\IMPOST~1\Temp\b.exe
ActiveSetup-{QJ60TOP1-7350-D21V-UGW3-4U07F5DB5S5O} - d:\windows\system32\Regeditsystem\Regeditsystem.exe
AddRemove-Atlante Mondiale 2.0 - F:\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-25 10:11
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xzrvcl]
"ServiceDll"="d:\windows\system32\hkzaf.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(828)
d:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
d:\windows\System32\SCardSvr.exe
d:\windows\eHome\ehRecvr.exe
d:\programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
d:\windows\system32\nvsvc32.exe
d:\programmi\Photodex\ProShowGold\ScsiAccess.exe
d:\windows\ehome\mcrdsvc.exe
d:\windows\system32\wscntfy.exe
d:\windows\stsystra.exe
d:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Ora fine scansione: 2009-12-25 10:19:13 - Il pc stato riavviato
ComboFix-quarantined-files.txt 2009-12-25 09:19

Pre-Run: 115.482.800.128 byte disponibili
Post-Run: 120.184.143.872 byte disponibili

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - E7806E37865B2F862EAAB0B2402316CD

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 25 December 2009 - 10:01 PM

Hi, sorry.. yesterday was very busy and I was very tired :(


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
xzrvcl

Driver::
xzrvcl

File::
d:\windows\system32\hkzaf.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 sao

sao
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 26 December 2009 - 10:45 AM

Hi ;-b
actually i thought everything was fixed....anyway i'm simply glad if we can solve it :(

ComboFix 09-12-20.04 - angel 26/12/2009 16.16.21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.510.289 [GMT 1:00]
Eseguito da: d:\documents and settings\angel\Desktop\ComboFix.exe
Opzioni usate :: d:\documents and settings\angel\Desktop\CFScript.txt

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"d:\windows\system32\hkzaf.dll"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\LOG.TXT

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XZRVCL
-------\Service_xzrvcl


((((((((((((((((((((((((( Files Creati Da 2009-11-26 al 2009-12-26 )))))))))))))))))))))))))))))))))))
.

2009-12-26 15:13 . 2009-12-26 15:13 -------- d-----w- d:\windows\Internet Logs
2009-12-25 19:15 . 2009-10-28 01:02 33160 ----a-w- d:\windows\zllsputility_loc0410.dll
2009-12-25 19:15 . 2009-10-28 01:02 7048 ----a-w- d:\windows\system32\imslsp_install_loc0410.dll
2009-12-25 19:15 . 2009-10-28 01:02 10632 ----a-w- d:\windows\system32\imsinstall_loc0410.dll
2009-12-25 19:15 . 2009-10-28 01:02 46472 ----a-w- d:\windows\system32\vsutil_loc0410.dll
2009-12-19 16:00 . 2009-12-20 09:16 -------- d-----w- d:\windows\system32\FxsTmp
2009-12-19 15:59 . 2004-09-07 12:00 31744 -c--a-w- d:\windows\system32\dllcache\fxsroute.dll
2009-12-19 15:59 . 2004-09-07 12:00 31744 ----a-w- d:\windows\system32\fxsroute.dll
2009-12-19 15:59 . 2004-09-07 12:00 138240 -c--a-w- d:\windows\system32\dllcache\fxsclntr.dll
2009-12-19 15:59 . 2004-09-07 12:00 138240 ----a-w- d:\windows\system32\fxsclntR.dll
2009-12-19 15:59 . 2004-09-07 12:00 11264 -c--a-w- d:\windows\system32\dllcache\fxssend.exe
2009-12-19 15:59 . 2004-09-07 12:00 11264 ----a-w- d:\windows\system32\fxssend.exe
2009-12-19 15:59 . 2004-09-07 12:00 112128 -c--a-w- d:\windows\system32\dllcache\fxscfgwz.dll
2009-12-19 15:59 . 2004-09-07 12:00 112128 ----a-w- d:\windows\system32\fxscfgwz.dll
2009-12-17 09:01 . 2009-12-17 09:01 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Babylon
2009-12-16 17:11 . 2009-12-16 17:11 -------- d--h--w- d:\documents and settings\angel\Risorse di rete
2009-12-16 17:11 . 2009-12-16 17:11 -------- d-----r- d:\documents and settings\angel\Preferiti
2009-12-16 17:11 . 2009-12-16 17:11 -------- d--h--w- d:\documents and settings\angel\Modelli
2009-12-16 17:11 . 2009-12-16 17:11 -------- d--h--w- d:\documents and settings\angel\InstallAnywhere
2009-12-16 17:11 . 2009-12-16 17:11 -------- d-----r- d:\documents and settings\angel\Menu Avvio
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Adobe
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Ahead
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\ApplicationHistory
2009-12-16 17:10 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Downloaded Installations
2009-12-16 17:09 . 2009-12-16 17:10 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Google
2009-12-16 17:09 . 2009-12-16 17:09 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Help
2009-12-16 17:08 . 2009-12-16 20:12 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Identities
2009-12-16 17:06 . 2009-12-22 08:25 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Microsoft
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Mozilla
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\PowerDVD
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Nero
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Temp
2009-12-16 17:05 . 2009-12-16 17:05 -------- d-----w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\Sun
2009-12-16 17:04 . 2009-11-18 16:58 23624 ----a-w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-16 17:04 . 2007-04-06 19:30 137 ----a-w- d:\documents and settings\angel\Impostazioni locali\Dati applicazioni\fusioncache.dat
2009-12-16 16:56 . 2009-12-16 16:56 -------- d-sh--w- d:\documents and settings\angel\UserData
2009-12-16 16:56 . 2009-12-16 16:56 -------- d-----w- d:\documents and settings\angel\WINDOWS
2009-12-16 16:56 . 2009-12-16 16:56 -------- d--h--w- d:\documents and settings\angel\Risorse di stampa
2009-12-16 16:34 . 2009-12-26 15:23 -------- d--h--w- d:\documents and settings\angel\Impostazioni locali
2009-12-16 16:29 . 2009-12-19 16:07 -------- d-----r- d:\documents and settings\angel\Documenti
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Nero
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Photodex
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\PDFCreator
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Netscape
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Skype
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\skypePM
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\SlipStream
2009-12-16 16:24 . 2009-12-16 16:24 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\SlySoft
2009-12-16 16:24 . 2009-12-18 14:09 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\uTorrent
2009-12-16 16:22 . 2009-12-26 15:16 -------- d--h--r- d:\documents and settings\angel\Dati applicazioni
2009-12-16 11:12 . 2009-12-20 20:23 -------- d-----w- d:\documents and settings\angel
2009-12-12 13:30 . 2009-12-12 13:30 -------- d--h--w- d:\windows\PIF
2009-12-10 22:00 . 2009-12-10 22:00 -------- d-----w- d:\windows\system32\LogFiles
2009-11-30 18:13 . 2009-11-30 18:24 -------- d-----w- d:\programmi\Nero
2009-11-30 18:12 . 2009-11-30 18:25 -------- d-----w- d:\programmi\File comuni\Nero
2009-11-30 18:12 . 2009-11-30 18:16 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 12:52 . 2007-04-23 21:53 4212 ---ha-w- d:\windows\system32\zllictbl.dat
2009-12-26 09:48 . 2008-12-28 08:35 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Babylon
2009-12-24 18:13 . 2009-08-08 14:16 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\FLEXnet
2009-12-22 15:37 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Babylon
2009-12-19 16:00 . 2004-09-07 12:00 84650 ----a-w- d:\windows\system32\perfc010.dat
2009-12-19 16:00 . 2004-09-07 12:00 490288 ----a-w- d:\windows\system32\perfh010.dat
2009-12-17 22:27 . 2009-10-27 09:03 189296 ----a-w- d:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2009-12-17 10:53 . 2007-04-07 08:26 -------- d-----w- d:\programmi\FaxTalk Communicator
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\AdobeUM
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Ahead
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\CyberLink
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Colasoft Packet Builder
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Download Manager
2009-12-16 16:25 . 2009-12-16 16:25 -------- d-----w- d:\documents and settings\angel\Dati applicazioni\Media Player Classic
2009-12-15 19:37 . 2009-10-07 19:18 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Thought Communications
2009-11-30 17:48 . 2007-05-03 18:05 -------- d-----w- d:\programmi\File comuni\Ahead
2009-11-24 15:34 . 2009-12-16 16:24 175104 ----a-w- d:\documents and settings\angel\Dati applicazioni\SQLite3.dll
2009-11-24 15:34 . 2009-12-16 16:24 175104 ----a-w- d:\documents and settings\angel\Dati applicazioni\SQLite3.dll
2009-11-20 08:27 . 2009-08-17 12:32 -------- d-----w- d:\programmi\Google
2009-11-19 21:54 . 2007-04-13 17:15 -------- d-----w- d:\programmi\File comuni\Adobe
2009-11-15 14:13 . 2009-11-11 08:31 -------- d-----w- d:\programmi\FreePOPs
2009-11-12 21:05 . 2009-11-12 21:05 -------- d-----w- d:\programmi\Photodex Presenter
2009-11-12 21:05 . 2009-12-16 16:24 131072 ----a-w- d:\documents and settings\angel\Dati applicazioni\Mozilla\Plugins\npPxPlay.dll
2009-11-12 21:05 . 2009-12-16 16:24 131072 ----a-w- d:\documents and settings\angel\Dati applicazioni\Netscape\Plugins\npPxPlay.dll
2009-11-12 21:04 . 2009-08-06 16:31 -------- d-----w- d:\programmi\Photodex
2009-10-21 14:05 . 2009-10-21 14:05 56 ---ha-w- d:\windows\system32\ezsidmv.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="d:\programmi\SlySoft\AnyDVD\AnyDVD.exe" [2007-05-15 407724]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="d:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"DVDLauncher"="d:\programmi\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"D-Link AirPlus G"="d:\programmi\D-Link\AirPlus G\AirGCFG.exe" [2006-11-17 1552384]
"ANIWZCS2Service"="d:\programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152]
"AdobeCS4ServiceManager"="d:\programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Microsoft Office.lnk - d:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxop81]
xxop81.dll [BU]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^LightFrame 2.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-08-03 14:37 3711376 ----a-w- d:\programmi\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 17:14 1695232 ------w- d:\programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-05-28 01:18 75256 ----a-w- d:\programmi\Java\jre1.5.0_16\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-12-16 16:07 289072 ----a-w- d:\programmi\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"OCSCryptolibService"=2 (0x2)
"wscsvc"=2 (0x2)
"gusvc"=2 (0x2)
"ehSched"=2 (0x2)
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Messenger\\msmsgs.exe"=
"d:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Programmi\\Skype\\Phone\\Skype.exe"=
"d:\\Programmi\\uTorrent\\uTorrent.exe"=
"d:\\Programmi\\File comuni\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Documents and Settings\\lucifero\\Desktop\\TMP\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 ACSSCR;ACR38 Smart Card Reader;d:\windows\system32\drivers\a38usbxp.sys [25/06/2008 19.04.35 24832]
S3 gupdate;Servizio di Google Update (gupdate);d:\programmi\Google\Update\GoogleUpdate.exe [02/10/2009 14.56.36 133104]
.
------- Scansione supplementare -------
.
uInternet Connection Wizard,ShellNext = "d:\programmi\Outlook Express\msimn.exe"
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Translate this web page with Babylon - d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
FF - ProfilePath - d:\documents and settings\angel\Dati applicazioni\Mozilla\Firefox\Profiles\h9fddz6z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - plugin: d:\documents and settings\angel\Dati applicazioni\Mozilla\plugins\npPxPlay.dll
FF - plugin: d:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: d:\programmi\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: d:\programmi\Java\jre1.5.0_16\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(828)
d:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
d:\windows\System32\SCardSvr.exe
d:\windows\eHome\ehRecvr.exe
d:\programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
d:\windows\system32\nvsvc32.exe
d:\programmi\Photodex\ProShowGold\ScsiAccess.exe
d:\windows\ehome\mcrdsvc.exe
d:\windows\system32\wscntfy.exe
d:\windows\eHome\ehmsas.exe
d:\windows\stsystra.exe
.
**************************************************************************
.
Ora fine scansione: 2009-12-26 16:31:47 - Il pc stato riavviato
ComboFix-quarantined-files.txt 2009-12-26 15:31
ComboFix2.txt 2009-12-25 09:19

Pre-Run: 120.292.605.952 byte disponibili
Post-Run: 120.283.156.480 byte disponibili

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 3ED77557767957CB209A69E77EAF5A73
******************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.34.46, on 26/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Programmi\Photodex\ProShowGold\ScsiAccess.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\stsystra.exe
D:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe
D:\Programmi\D-Link\AirPlus G\AirGCFG.exe
D:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
D:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
D:\WINDOWS\explorer.exe
D:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "D:\Programmi\Outlook Express\msimn.exe"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TLightFrameIECOM Class - {20A66F2F-31CE-11D5-8BF7-0090CC12D082} - D:\WINDOWS\system32\LightFrameIECOM.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.5.0_16\bin\ssv.dll
O2 - BHO: (no name) - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - D:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "D:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [D-Link AirPlus G] D:\Programmi\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] D:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "D:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [AnyDVD] D:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Windows Login.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate this web page with Babylon - res://D:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://D:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - D:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - D:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1220791485359
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: xxop81 - xxop81.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - D:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - D:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - D:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Programmi\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 5839 bytes

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 26 December 2009 - 11:19 AM

Lets do a scan just to make sure we don't missed anything.. Run this one when you're not using the computer as it will take a while to finish..


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 sao

sao
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 11 January 2010 - 04:21 PM

Hii
sorry for delay
i could not scan online because i hadn't fast connetcion and with analogic connection
was impossible to complete it
anyway my nero burning program now recognize drives !!
it happens once Pc stucked after play a compilation a blue screen appeared there was a problem with nv4_disp.dll
Thanks again
Ps: i still didn't reinstalled any ANitvirus

this is the result of ESET

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.esets_scanner_update returned -1 esets_gle=37125
esets_scanner_update returned -1 esets_gle=37125
esets_scanner_update returned -1 esets_gle=45315
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b98cae4ca3e18044bcc1cebdd774884b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-11 09:06:03
# local_time=2010-01-11 10:06:03 (+0100, ora solare Europa occidentale)
# country="Italy"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1401447 1401447 0 0
# compatibility_mode=8192 67108863 100 0 905950 905950 0 0
# scanned=173314
# found=8
# cleaned=8
# scan_time=4454
C:\Copie\Angel\Impostazioni locali\Temp\Directory temporanea 2 per Nero 9.4.26.0 Keygen by CORE.zip\Nero 9.4.26.0 Keygen by CORE.exe a variant of Win32/Injector.AFZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\lucifero\Impostazioni locali\Temp\Directory temporanea 2 per Nero 9.4.26.0 Keygen by CORE.zip\Nero 9.4.26.0 Keygen by CORE.exe a variant of Win32/Injector.AFZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Qoobox\Quarantine\D\WINDOWS\msa.exe.vir a variant of Win32/Kryptik.BKE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Qoobox\Quarantine\D\WINDOWS\system32\gasfkypbspxtfq.dll.vir probably a variant of Win32/Obfuscated trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Qoobox\Quarantine\D\WINDOWS\system32\gasfkyxrfobygp.dll.vir probably a variant of Win32/Obfuscated trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Qoobox\Quarantine\D\WINDOWS\system32\xxop81.dll.vir a variant of Win32/TrojanProxy.Agent.NFV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{AE31B6E9-C86D-458B-A9D5-269C5A7626FD}\RP1\A0001762.exe a variant of Win32/Injector.AFZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\WINDOWS\system32\drivers\aeihinma.sys Win32/Rootkit.Agent.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 19 January 2010 - 08:19 AM

Hello.. Apologies for the delay.. I was very-very ill for two weeks, and it affected my life.. Now I'm back..

Do you still need help?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 sao

sao
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 20 January 2010 - 08:17 AM

Glad to know you are well
I reckon everything is Ok now
After online scan i scanned with ZA for root kits and no threats detected
Thanks a lot for your help !!
Adri




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users