Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant


  • This topic is locked This topic is locked
92 replies to this topic

#1 plunio

plunio

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 09 May 2010 - 07:56 AM

Hello.
Since a few weeks I've been noticing some weird things happening to my PC.
First and most important is the creation of a user named "HelpAssistant" upon each boot of the computer. I have seen that other users have already been helped to fix the same problem. Main visible issue about that is the creation of a folder in E:\Documents and settings, where copies of a lot of files are stored. This eats out quickly the fre space in my hard disk.
I am not sure which is the purpose of copying all those files, and I could not notice any in-out suspicious traffic yet, nor the Sygate Firewall is highlighting serious threats to my security, but I would really like to get rid of this issue as soon as possible.
Disabling the user "Help Assistant" by Control Panel is not working, since it is someway overruling that upon reboot.
I experienced a couple of other problems in the last weeks, before resolving to ask for your help: I am not sure whether or not they can be linked to the HelpAssistant issue.
First one was a strange "Advanced card verification" window, popping up every now and then while navigating on credit card sites (Amex or Visa), and causing IE and the PC to freeze completely.
Second one was a problem in Google results' page, where apparently legitimate links were often maliciously redirected, popping up apocalyptic messages strongly suggesting to perform anti-virus scans before the Big Crash could happen...
But for know I would focus on the HelpAssistant stuff, and ask for your precious help and time..
So then:

here is the DDS.txt log, "attach.txt" and "ark.txt" should have been attached, too


DDS (Ver_10-03-17.01) - NTFSx86
Run by Flu at 13.12.03,40 on 09/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.489 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
F:\Nero\InCD\InCDsrv.exe
F:\Sygate Firewall\smc.exe
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmi\Avira\AntiVir Desktop\sched.exe
svchost.exe
E:\Programmi\a-squared Free\a2service.exe
E:\Programmi\Avira\AntiVir Desktop\avguard.exe
F:\Downloads\Cobian Backup\cbVSCService.exe
E:\Programmi\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\drivers\KodakCCS.exe
E:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Programmi\Canon\CAL\CALMAIN.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Programmi\Analog Devices\SoundMAX\SMTray.exe
E:\Programmi\Labtec\Mouse\2.1\moffice.exe
E:\Programmi\Labtec\Mouse\2.1\MOUSE32A.EXE
F:\Nero\NeroNET\NNServiceCtrl.exe
F:\Nero\InCD\InCD.exe
E:\Programmi\Lexmark 3400 Series\lxcymon.exe
E:\Programmi\Lexmark 3400 Series\ezprint.exe
E:\Programmi\File comuni\Java\Java Update\jusched.exe
E:\Programmi\Avira\AntiVir Desktop\avgnt.exe
E:\Programmi\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmi\Messenger\msmsgs.exe
E:\WINDOWS\system32\lxcycoms.exe
E:\Programmi\iPod\bin\iPodService.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Documents and Settings\Flu\Desktop\Safety\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.fastweb.it/portale/?benvenuto=
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Barra degli strumenti: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - e:\programmi\lexmark toolbar\toolband.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - e:\programmi\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\programmi\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Barra degli strumenti: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - e:\programmi\lexmark toolbar\toolband.dll
uRun: [CTFMON.EXE] e:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "e:\programmi\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Smapp] e:\programmi\analog devices\soundmax\SMTray.exe
mRun: [QuickTime Task] "e:\programmi\quicktime\qttask.exe" -atboottime
mRun: [FLMOFFICE4DMOUSE] e:\programmi\labtec\mouse\2.1\moffice.exe
mRun: [CloneCDTray] "e:\programmi\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [DAEMON Tools] "f:\daemon tools\daemon.exe" -lang 1033
mRun: [NeroFilterCheck] e:\windows\system32\NeroCheck.exe
mRun: [NeroNETTrayIcon] f:\nero\neronet\NNServiceCtrl.exe
mRun: [InCD] f:\nero\incd\InCD.exe
mRun: [lxcymon.exe] "e:\programmi\lexmark 3400 series\lxcymon.exe"
mRun: [EzPrint] "e:\programmi\lexmark 3400 series\ezprint.exe"
mRun: [FaxCenterServer] "e:\programmi\lexmark fax solutions\fm3032.exe" /s
mRun: [LXCYCATS] rundll32 e:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [AdobeCS4ServiceManager] "e:\programmi\file comuni\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "e:\programmi\file comuni\java\java update\jusched.exe"
mRun: [avgnt] "e:\programmi\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "e:\programmi\itunes\iTunesHelper.exe"
mRun: [SmcService] f:\sygate~1\smc.exe -startgui
dRun: [CTFMON.EXE] e:\windows\system32\ctfmon.exe
StartupFolder: e:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - e:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: e:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - e:\programmi\microsoft office\office10\OSA.EXE
IE: E&sporta in Microsoft Excel - e:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\programmi\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - e:\programmi\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: americanexpress.com\www
Trusted Zone: cartasi.it\titolari
Trusted Zone: iwbank.it\www
Trusted Zone: telepass.it\www
Trusted Zone: unicreditbanca.it\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - e:\programmi\file comuni\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\fileco~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;e:\windows\system32\drivers\viasraid.sys [2005-7-27 77312]
R1 avgio;avgio;e:\programmi\avira\antivir desktop\avgio.sys [2009-11-29 11608]
R2 a2free;a-squared Free Service;e:\programmi\a-squared free\a2service.exe [2010-3-17 1872320]
R2 AntiVirScheduler;Avira AntiVir Scheduler;e:\programmi\avira\antivir desktop\sched.exe [2009-11-29 108289]
R2 AntiVirService;Avira AntiVir Guard;e:\programmi\avira\antivir desktop\avguard.exe [2009-11-29 185089]
R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2009-11-29 56816]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;f:\downloads\cobian backup\cbVSCService.exe [2010-5-8 67584]
R3 lxcy_device;lxcy_device;e:\windows\system32\lxcycoms.exe -service --> e:\windows\system32\lxcycoms.exe -service [?]
S2 gupdate;Servizio di Google Update (gupdate);e:\programmi\google\update\GoogleUpdate.exe [2010-1-9 135664]
S3 NeroNET;NeroNET;f:\nero\neronet\neronet.exe -w --> f:\nero\neronet\NeroNET.exe -w [?]

=============== Created Last 30 ================

2010-04-27 23:25:24 411368 ------w- e:\windows\system32\deployJava1.dll
2010-04-27 23:16:40 471552 -c----w- e:\windows\system32\dllcache\aclayers.dll
2010-04-27 23:16:21 3558912 -c----w- e:\windows\system32\dllcache\moviemk.exe
2010-04-27 23:16:05 293376 ------w- e:\windows\system32\browserchoice.exe
2010-04-27 22:14:39 82944 ------w- e:\windows\sed.exe
2010-04-27 22:14:39 77312 ------w- e:\windows\mbr.exe
2010-04-27 22:14:39 278016 ------w- e:\windows\swreg.exe

==================== Find3M ====================

2010-05-08 14:07:50 96384 ----a-w- e:\windows\system32\drivers\sptd3069.sys
2010-03-29 22:46:30 38224 ------w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45:52 20824 ------w- e:\windows\system32\drivers\mbam.sys
2010-03-28 17:12:48 79292 ------w- e:\windows\system32\perfc010.dat
2010-03-28 17:12:48 478808 ------w- e:\windows\system32\perfh010.dat
2010-03-10 06:15:53 420352 ------w- e:\windows\system32\vbscript.dll
2010-02-25 06:16:35 916480 ------w- e:\windows\system32\wininet.dll
2010-02-17 12:05:08 2193664 ------w- e:\windows\system32\ntoskrnl.exe
2010-02-16 19:05:06 2070528 ------w- e:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:08 100864 ------w- e:\windows\system32\6to4svc.dll
2008-09-20 19:28:17 32768 --sh--w- e:\windows\system32\config\systemprofile\impostazioni locali\cronologia\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 13.12.36,93 ===============

Thank you very much for your support

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:11 AM

Posted 11 May 2010 - 01:37 AM

Hello, plunio.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 plunio

plunio
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 11 May 2010 - 02:46 AM

Hello, aommaster.
Thank for your time and support.

Note that my hard disk is partitioned in this way:
C:\ with OS Win2k, that I never use and I did not include in GMER Scan (please confirm it is OK);
E:\ with OS WinXP, the one I always work with and where I am experiencing all the issues;
F:\ just for data, not included in GMER Scan

Now the logs:

Logfile of random's system information tool 1.07 (written by random/random)
Run by Flu at 2010-05-11 08:37:43
Microsoft Windows XP Professional Service Pack 3
System drive E: has 2 GB (15%) free of 15 GB
Total RAM: 1023 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8.37.58, on 11/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
F:\Nero\InCD\InCDsrv.exe
F:\Sygate Firewall\smc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Programmi\Avira\AntiVir Desktop\sched.exe
E:\Programmi\a-squared Free\a2service.exe
E:\Programmi\Avira\AntiVir Desktop\avguard.exe
F:\Downloads\Cobian Backup\cbVSCService.exe
E:\Programmi\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\drivers\KodakCCS.exe
E:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\svchost.exe
E:\Programmi\Canon\CAL\CALMAIN.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Programmi\Analog Devices\SoundMAX\SMTray.exe
E:\Programmi\Labtec\Mouse\2.1\moffice.exe
F:\Daemon Tools\daemon.exe
F:\Nero\NeroNET\NNServiceCtrl.exe
E:\Programmi\Labtec\Mouse\2.1\MOUSE32A.EXE
F:\Nero\InCD\InCD.exe
E:\Programmi\Lexmark 3400 Series\ezprint.exe
E:\Programmi\File comuni\Java\Java Update\jusched.exe
E:\Programmi\Avira\AntiVir Desktop\avgnt.exe
E:\Programmi\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\lxcycoms.exe
E:\Programmi\iPod\bin\iPodService.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Documents and Settings\Flu\Desktop\Safety\RSIT.exe
E:\Programmi\trend micro\Flu.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastweb.it/portale/?benvenuto=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - E:\Programmi\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - E:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Programmi\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - E:\Programmi\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] E:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] E:\Programmi\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [CloneCDTray] "E:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroNETTrayIcon] F:\Nero\NeroNET\NNServiceCtrl.exe
O4 - HKLM\..\Run: [InCD] F:\Nero\InCD\InCD.exe
O4 - HKLM\..\Run: [lxcymon.exe] "E:\Programmi\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "E:\Programmi\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "E:\Programmi\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "E:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] F:\SYGATE~1\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = E:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - E:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.americanexpress.com
O15 - Trusted Zone: http://www.unicreditbanca.it
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\Programmi\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - E:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Cobian Backup 10 Volume Shadow Copy service (cbVSCService) - CobianSoft, Luis Cobian - F:\Downloads\Cobian Backup\cbVSCService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - E:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - E:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Nero\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - E:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - E:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcy_device - - E:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NeroNET - Ahead Software AG - F:\Nero\NeroNET\NeroNET.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - F:\Sygate Firewall\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9661 bytes

======Scheduled tasks folder======

E:\WINDOWS\tasks\AppleSoftwareUpdate.job
E:\WINDOWS\tasks\Google Software Updater.job
E:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cac9d83ea8b766.job
E:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - E:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}]
Lexmark Barra degli strumenti - E:\Programmi\Lexmark Toolbar\toolband.dll [2006-01-25 184320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - E:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-04-16 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - E:\Programmi\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-12-07 764912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - E:\Programmi\Java\jre6\bin\jp2ssv.dll [2010-04-12 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - E:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-12 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark Barra degli strumenti - E:\Programmi\Lexmark Toolbar\toolband.dll [2006-01-25 184320]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=E:\WINDOWS\system32\NvCpl.dll [2004-09-30 4603904]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=E:\WINDOWS\system32\NvMcTray.dll [2004-09-30 86016]
"Smapp"=E:\Programmi\Analog Devices\SoundMAX\SMTray.exe [2003-05-05 143360]
"QuickTime Task"=E:\Programmi\QuickTime\qttask.exe [2009-11-11 417792]
"FLMOFFICE4DMOUSE"=E:\Programmi\Labtec\Mouse\2.1\moffice.exe [2005-09-04 958464]
"CloneCDTray"=E:\Programmi\SlySoft\CloneCD\CloneCDTray.exe [2005-05-19 57344]
"DAEMON Tools"=F:\Daemon Tools\daemon.exe [2005-11-09 128920]
"NeroFilterCheck"=E:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"NeroNETTrayIcon"=F:\Nero\NeroNET\NNServiceCtrl.exe [2004-11-30 266240]
"InCD"=F:\Nero\InCD\InCD.exe [2005-04-12 1383936]
"lxcymon.exe"=E:\Programmi\Lexmark 3400 Series\lxcymon.exe [2006-03-06 286720]
"EzPrint"=E:\Programmi\Lexmark 3400 Series\ezprint.exe [2006-02-07 98304]
"FaxCenterServer"=E:\Programmi\Lexmark Fax Solutions\fm3032.exe [2006-02-02 290816]
"LXCYCATS"=rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16 []
"Ptipbmf"=ptipbmf.dll,SetWriteCacheMode []
"AdobeCS4ServiceManager"=E:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2008-08-14 611712]
"SunJavaUpdateSched"=E:\Programmi\File comuni\Java\Java Update\jusched.exe [2010-02-18 248040]
"avgnt"=E:\Programmi\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"iTunesHelper"=E:\Programmi\iTunes\iTunesHelper.exe [2009-11-12 141600]
"SmcService"=F:\SYGATE~1\smc.exe [2004-06-30 2376928]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=E:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=E:\Programmi\Messenger\msmsgs.exe [2008-04-14 1695232]
"AdobeBridge"= []

E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
Avvio veloce di Adobe Reader.lnk - E:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - E:\Programmi\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
E:\WINDOWS\system32\WgaLogon.dll [2009-03-26 190976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe"="E:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"F:\Downloads\TVUPlayer\TVUPlayer.exe"="F:\Downloads\TVUPlayer\TVUPlayer.exe:*:Enabled:TVU Player Component"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\Downloads\Sopcast\SopCast.exe"="F:\Downloads\Sopcast\SopCast.exe:*:Enabled:SopCast Main Application"
"E:\Documents and Settings\Flu\Dati applicazioni\SopCast\adv\SopAdver.exe"="E:\Documents and Settings\Flu\Dati applicazioni\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"F:\CivilizationIV\Civilization4.exe"="F:\CivilizationIV\Civilization4.exe:*:Disabled:Sid Meier's Civilization 4"
"F:\Downloads\TVAnts\Tvants.exe"="F:\Downloads\TVAnts\Tvants.exe:*:Enabled:TVAnts"
"E:\WINDOWS\system32\dpvsetup.exe"="E:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"E:\WINDOWS\system32\rundll32.exe"="E:\WINDOWS\system32\rundll32.exe:*:Enabled:Modulo di esecuzione DLL come applicazioni"
"F:\Downloads\Sopcast\adv\SopAdver.exe"="F:\Downloads\Sopcast\adv\SopAdver.exe:*:Disabled:SopCast Adver"
"E:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="E:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"E:\Programmi\Skype\Phone\Skype.exe"="E:\Programmi\Skype\Phone\Skype.exe:*:Enabled:Skype"
"E:\Programmi\Internet Explorer\iexplore.exe"="E:\Programmi\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"E:\Programmi\iTunes\iTunes.exe"="E:\Programmi\iTunes\iTunes.exe:*:Enabled:iTunes"
"E:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe"="E:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Disabled:BlueSoleil"
"E:\Programmi\Bonjour\mDNSResponder.exe"="E:\Programmi\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"E:\WINDOWS\system32\LEXPPS.EXE"="E:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8dc2518-2203-11de-8d32-0011d82216ae}]
shell\AutoRun\command - J:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c16072cc-e732-11dd-8cbd-0011d82216ae}]
shell\AutoRun\command - I:\start.exe


======List of files/folders created in the last 1 months======

2010-05-11 08:37:43 ----D---- E:\rsit
2010-05-11 08:37:43 ----D---- E:\Programmi\trend micro
2010-04-28 01:25:41 ----D---- E:\Documents and Settings\All Users\Dati applicazioni\Sun
2010-04-28 01:25:40 ----D---- E:\Programmi\File comuni\Java
2010-04-28 01:25:24 ----N---- E:\WINDOWS\system32\javaws.exe
2010-04-28 01:25:24 ----N---- E:\WINDOWS\system32\javaw.exe
2010-04-28 01:25:24 ----N---- E:\WINDOWS\system32\java.exe
2010-04-28 01:25:24 ----N---- E:\WINDOWS\system32\deployJava1.dll
2010-04-28 01:23:45 ----HDC---- E:\WINDOWS\$NtUninstallKB978262$
2010-04-28 01:23:40 ----HDC---- E:\WINDOWS\$NtUninstallKB971468$
2010-04-28 01:23:31 ----HDC---- E:\WINDOWS\$NtUninstallKB979683$
2010-04-28 01:23:19 ----HDC---- E:\WINDOWS\$NtUninstallKB980232$
2010-04-28 01:23:15 ----HDC---- E:\WINDOWS\$NtUninstallKB955759$
2010-04-28 01:21:05 ----HDC---- E:\WINDOWS\$NtUninstallKB978037$
2010-04-28 01:21:01 ----HDC---- E:\WINDOWS\$NtUninstallKB975713$
2010-04-28 01:20:57 ----HDC---- E:\WINDOWS\$NtUninstallKB978338$
2010-04-28 01:20:53 ----HDC---- E:\WINDOWS\$NtUninstallKB972270$
2010-04-28 01:20:46 ----HDC---- E:\WINDOWS\$NtUninstallKB975561$
2010-04-28 01:20:41 ----HDC---- E:\WINDOWS\$NtUninstallKB975560$
2010-04-28 01:20:34 ----HDC---- E:\WINDOWS\$NtUninstallKB977816$
2010-04-28 01:20:30 ----HDC---- E:\WINDOWS\$NtUninstallKB978601$
2010-04-28 01:20:20 ----HDC---- E:\WINDOWS\$NtUninstallKB977914$
2010-04-28 01:19:55 ----HDC---- E:\WINDOWS\$NtUninstallKB979309$
2010-04-28 01:19:51 ----HDC---- E:\WINDOWS\$NtUninstallKB978706$
2010-04-28 01:19:37 ----HDC---- E:\WINDOWS\$NtUninstallKB979306$
2010-04-28 01:16:05 ----N---- E:\WINDOWS\system32\browserchoice.exe
2010-04-28 00:14:39 ----N---- E:\WINDOWS\swreg.exe
2010-04-28 00:14:39 ----N---- E:\WINDOWS\sed.exe
2010-04-28 00:14:39 ----N---- E:\WINDOWS\mbr.exe

======List of files/folders modified in the last 1 months======

2010-05-11 08:37:46 ----D---- E:\WINDOWS\Prefetch
2010-05-11 08:37:43 ----RD---- E:\Programmi
2010-05-11 08:32:39 ----D---- E:\WINDOWS\Temp
2010-05-11 08:32:29 ----D---- E:\Documents and Settings
2010-05-11 08:30:47 ----D---- E:\WINDOWS\system32\CatRoot2
2010-05-10 22:45:22 ----A---- E:\WINDOWS\SchedLgU.Txt
2010-05-10 20:46:22 ----D---- E:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2010-05-08 14:19:18 ----D---- E:\WINDOWS\system32\config
2010-05-08 14:19:17 ----D---- E:\WINDOWS\Registration
2010-05-03 12:19:24 ----D---- E:\MyVideos
2010-04-28 01:28:06 ----D---- E:\WINDOWS
2010-04-28 01:27:27 ----D---- E:\WINDOWS\system32
2010-04-28 01:27:27 ----D---- E:\WINDOWS\AppPatch
2010-04-28 01:27:27 ----D---- E:\Programmi\Internet Explorer
2010-04-28 01:25:40 ----SHD---- E:\WINDOWS\Installer
2010-04-28 01:25:40 ----D---- E:\Programmi\File comuni
2010-04-28 01:25:15 ----D---- E:\Programmi\Java
2010-04-28 01:23:47 ----HD---- E:\WINDOWS\inf
2010-04-28 01:23:44 ----HD---- E:\WINDOWS\$hf_mig$
2010-04-28 01:23:43 ----N---- E:\WINDOWS\imsins.BAK
2010-04-28 01:23:42 ----RSHDC---- E:\WINDOWS\system32\dllcache
2010-04-28 01:23:42 ----D---- E:\WINDOWS\system32\drivers
2010-04-28 01:23:24 ----D---- E:\WINDOWS\ie8updates
2010-04-28 01:20:47 ----D---- E:\Programmi\Movie Maker
2010-04-27 20:04:54 ----D---- E:\WINDOWS\Minidump
2010-04-20 18:38:59 ----N---- E:\WINDOWS\NeroDigital.ini
2010-04-18 21:59:52 ----D---- E:\Programmi\a-squared Free
2010-04-18 14:22:54 ----SD---- E:\WINDOWS\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\E:\Programmi\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; E:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 DcCam;Kodak Camera Proxy; E:\WINDOWS\system32\DRIVERS\DcCam.sys [2004-05-20 36918]
R1 InCDPass;InCDPass; E:\WINDOWS\System32\DRIVERS\InCDPass.sys [2005-04-12 29056]
R1 incdrm;InCD Reader; E:\WINDOWS\system32\drivers\incdrm.sys [2005-04-12 28160]
R1 ssmdrv;ssmdrv; E:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 wpsdrvnt;wpsdrvnt; \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 adfs;adfs; E:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 avgntflt;avgntflt; E:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-10 56816]
R2 DCFS2K;Kodak DCFS2K Driver; E:\WINDOWS\system32\drivers\dcfs2k.sys [2004-06-02 38705]
R2 ElbyCDIO;ElbyCDIO Driver; E:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2005-04-21 10624]
R2 wg3n;SyGate for NT, wg3n; E:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [2004-06-30 14320]
R2 wg4n;SyGate for NT, wg4n; E:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [2004-06-30 14320]
R2 wg5n;SyGate for NT, wg5n; E:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [2004-06-30 14320]
R2 wg6n;SyGate for NT, wg6n; E:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [2004-06-30 14320]
R3 aeaudio;aeaudio; E:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 AnyDVD;AnyDVD; E:\WINDOWS\System32\Drivers\AnyDVD.sys [2005-10-27 19200]
R3 Arp1394;Protocollo client ARP 1394; E:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 dtscsi;dtscsi; E:\WINDOWS\System32\Drivers\dtscsi.sys [2006-05-13 223128]
R3 ElbyCDFL;ElbyCDFL; E:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2005-05-03 27392]
R3 ElbyDelay;ElbyDelay; E:\WINDOWS\System32\Drivers\ElbyDelay.sys [2005-04-12 4608]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; E:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HidUsb;Driver di classe HID Microsoft; E:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 NIC1394;1394 Net Driver; E:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; E:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-09-30 2743840]
R3 smwdm;smwdm; E:\WINDOWS\system32\drivers\smwdm.sys [2003-07-15 578368]
R3 usbccgp;Driver principale generico USB Microsoft; E:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Driver Miniport controller enhanced host USB 2.0 Microsoft; E:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Driver hub USB standard Microsoft; E:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Classe stampanti USB Microsoft; E:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;Driver scanner USB; E:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;Driver archiviazione di massa USB; E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Driver Miniport Controller Universal Host USB Microsoft; E:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; E:\WINDOWS\system32\DRIVERS\yk51x86.sys [2009-12-11 299008]
R4 InCDfs;InCD File System; E:\WINDOWS\system32\drivers\InCDfs.sys [2005-04-12 99456]
S1 Exportit;Exportit; E:\WINDOWS\system32\DRIVERS\exportit.sys [2004-07-07 152049]
S3 BlueletAudio;Bluetooth Audio Service; E:\WINDOWS\system32\DRIVERS\blueletaudio.sys []
S3 BlueletSCOAudio;Bluetooth SCO Audio Service; E:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys []
S3 BT;Bluetooth PAN Network Adapter; E:\WINDOWS\system32\DRIVERS\btnetdrv.sys []
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; E:\WINDOWS\System32\Drivers\btcusb.sys []
S3 CCDECODE;Decoder sottotitoli codificati; E:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 DcFpoint;DcFpoint; E:\WINDOWS\system32\DRIVERS\DcFpoint.sys [2004-05-20 61564]
S3 DcLps;Legacy Polling Service; E:\WINDOWS\system32\DRIVERS\DcLps.sys [2004-05-20 8022]
S3 DcPTP;dcptp; E:\WINDOWS\system32\DRIVERS\DcPTP.sys [2004-07-07 70070]
S3 mouhid;Driver di mouse HID; E:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-30 12160]
S3 MPE;BDA MPE Filter; E:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-13 15232]
S3 MSTEE;Convertitore a T/Sito a sito per flusso Microsoft; E:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; E:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Connesione TV/Video Microsoft; E:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; E:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-31 5888]
S3 SLIP;BDA Slip De-Framer; E:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; E:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USB28xxBGA;WinTV HVR-900; E:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-06-06 281600]
S3 USB28xxOEM;WinTV OEM Filter; E:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-06-02 21376]
S3 VComm;Virtual Serial port driver; E:\WINDOWS\system32\DRIVERS\VComm.sys []
S3 VcommMgr;Bluetooth VComm Manager Service; E:\WINDOWS\System32\Drivers\VcommMgr.sys []
S3 WSTCODEC;Codec World Standard Teletext; E:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; E:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; E:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; E:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 a2free;a-squared Free Service; E:\Programmi\a-squared Free\a2service.exe [2010-04-18 1872320]
R2 AntiVirScheduler;Avira AntiVir Scheduler; E:\Programmi\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; E:\Programmi\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service; F:\Downloads\Cobian Backup\cbVSCService.exe [2010-04-28 67584]
R2 CCALib8;Canon Camera Access Library 8; E:\Programmi\Canon\CAL\CALMAIN.exe [2007-01-31 96370]
R2 InCDsrv;InCD Helper; F:\Nero\InCD\InCDsrv.exe [2005-04-12 869376]
R2 JavaQuickStarterService;Java Quick Starter; E:\Programmi\Java\jre6\bin\jqs.exe [2010-04-12 153376]
R2 KodakCCS;Kodak Camera Connection Software; E:\WINDOWS\system32\drivers\KodakCCS.exe [2004-05-24 322104]
R2 MDM;Machine Debug Manager; E:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 NVSvc;NVIDIA Display Driver Service; E:\WINDOWS\system32\nvsvc32.exe [2004-09-30 127043]
R2 SmcService;Sygate Personal Firewall; F:\Sygate Firewall\smc.exe [2004-06-30 2376928]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R3 iPod Service;Servizio iPod; E:\Programmi\iPod\bin\iPodService.exe [2009-11-12 545568]
R3 lxcy_device;lxcy_device; E:\WINDOWS\system32\lxcycoms.exe [2006-02-20 495616]
S2 gupdate;Servizio di Google Update (gupdate); E:\Programmi\Google\Update\GoogleUpdate.exe [2010-01-09 135664]
S2 gusvc;Google Software Updater; E:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 Apple Mobile Device;Apple Mobile Device; E:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
S3 aspnet_state;ASP.NET State Service; E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 Bonjour Service;Bonjour Service; E:\Programmi\Bonjour\mDNSResponder.exe [2008-12-12 238888]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; E:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-06-21 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; E:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NeroNET;NeroNET; F:\Nero\NeroNET\NeroNET.exe [2004-11-30 1122304]
S3 WMPNetworkSvc;Servizio di condivisione in rete Windows Media Player; E:\Programmi\Windows Media Player\WMPNetwk.exe [2006-11-02 918528]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; E:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-05-11 08:38:00

======Uninstall list======

-->E:\Programmi\File comuni\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 E:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe AIR-->E:\Programmi\File comuni\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Anchor Service CS4-->MsiExec.exe /I{1618734A-3957-4ADD-8199-F973763109A8}
Adobe Bridge CS4-->MsiExec.exe /I{83877DB1-8B77-45BC-AB43-2BAC22E093E0}
Adobe CMaps CS4-->MsiExec.exe /I{94D398EB-D2FD-4FD1-B8C4-592635E8A191}
Adobe Color - Photoshop Specific CS4-->MsiExec.exe /I{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}
Adobe Color EU Recommended Settings CS4-->MsiExec.exe /I{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}
Adobe Color JA Extra Settings CS4-->MsiExec.exe /I{0D6013AB-A0C7-41DC-973C-E93129C9A29F}
Adobe Color NA Extra Settings CS4-->MsiExec.exe /I{098A2A49-7CF3-4F08-A38D-FB879117152A}
Adobe Color Video Profiles CS CS4-->MsiExec.exe /I{63C24A08-70F3-4C8E-B9FB-9F21A903801D}
Adobe CSI CS4-->MsiExec.exe /I{0F723FC1-7606-4867-866C-CE80AD292DAF}
Adobe Default Language CS4-->MsiExec.exe /I{C52E3EC1-048C-45E1-8D53-10B0C6509683}
Adobe Device Central CS4-->MsiExec.exe /I{67F0E67A-8E93-4C2C-B29D-47C48262738A}
Adobe Drive CS4-->MsiExec.exe /I{16E16F01-2E2D-4248-A42F-76261C147B6C}
Adobe ExtendScript Toolkit CS4-->MsiExec.exe /I{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}
Adobe Extension Manager CS4-->MsiExec.exe /I{054EFA56-2AC1-48F4-A883-0AB89874B972}
Adobe Flash Player 10 ActiveX-->E:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All-->MsiExec.exe /I{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}
Adobe Linguistics CS4-->MsiExec.exe /I{931AB7EA-3656-4BB7-864D-022B09E3DD67}
Adobe Media Player-->msiexec /qb /x {39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Media Player-->MsiExec.exe /I{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Output Module-->MsiExec.exe /I{BB4E33EC-8181-4685-96F7-8554293DEC6A}
Adobe PDF Library Files CS4-->MsiExec.exe /I{F93C84A6-0DC6-42AF-89FA-776F7C377353}
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Photoshop CS4 Support-->MsiExec.exe /I{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}
Adobe Photoshop CS4-->E:\Programmi\File comuni\Adobe\Installers\faf656ef605427ee2f42989c3ad31b8\Setup.exe --uninstall=1
Adobe Photoshop CS4-->MsiExec.exe /I{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}
Adobe Photoshop CS4-->MsiExec.exe /I{E4848436-0345-47E2-B648-8B522FCDA623}
Adobe Reader 7.1.0 - Italiano-->MsiExec.exe /I{AC76BA86-7AD7-1040-7B44-A71000000002}
Adobe Search for Help-->MsiExec.exe /I{F0E64E2E-3A60-40D8-A55D-92F6831875DA}
Adobe Service Manager Extension-->MsiExec.exe /I{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}
Adobe Setup-->MsiExec.exe /I{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}
Adobe Shockwave Player 11.5-->"E:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Adobe Type Support CS4-->MsiExec.exe /I{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}
Adobe Update Manager CS4-->MsiExec.exe /I{05308C4E-7285-4066-BAE3-6B50DA6ED755}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}
Adobe XMP Panels CS4-->MsiExec.exe /I{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}
AdobeColorCommonSetCMYK-->MsiExec.exe /I{68243FF8-83CA-466B-B2B8-9F99DA5479C4}
AdobeColorCommonSetRGB-->MsiExec.exe /I{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}
Aggiornamento critico per Windows Media Player 11 (KB959772)-->"E:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB928090)-->"E:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB929969)-->"E:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB931768)-->"E:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB933566)-->"E:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB938127)-->"E:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB939653)-->"E:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB942615)-->"E:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB944533)-->"E:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB950759)-->"E:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB953838)-->"E:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB956390)-->"E:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB958215)-->"E:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB960714)-->"E:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB961260)-->"E:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB963027)-->"E:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 7 (KB969897)-->"E:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 8 (KB969897)-->"E:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 8 (KB971961)-->"E:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 8 (KB972260)-->"E:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 8 (KB974455)-->"E:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 8 (KB976325)-->"E:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Internet Explorer 8 (KB981332)-->"E:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player (KB952069)-->"E:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player (KB954155)-->"E:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player (KB968816)-->"E:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player (KB973540)-->"E:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player 11 (KB936782)-->"E:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player 11 (KB954154)-->"E:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player 9 (KB911565)-->"E:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows Media Player 9 (KB917734)-->"E:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB923561)-->"E:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB938464)-->"E:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB938464-v2)-->"E:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB941569)-->"E:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB946648)-->"E:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB950760)-->"E:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB950762)-->"E:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB950974)-->"E:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB951066)-->"E:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB951376-v2)-->"E:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB951698)-->"E:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB951748)-->"E:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB952004)-->"E:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB952954)-->"E:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB953839)-->"E:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB954211)-->"E:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB954459)-->"E:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB954600)-->"E:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB955069)-->"E:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB956391)-->"E:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB956572)-->"E:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB956744)-->"E:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB956802)-->"E:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB956803)-->"E:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB956841)-->"E:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB956844)-->"E:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB957095)-->"E:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB957097)-->"E:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB958644)-->"E:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB958687)-->"E:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB958690)-->"E:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB958869)-->"E:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB959426)-->"E:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB960225)-->"E:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB960715)-->"E:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB960803)-->"E:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB960859)-->"E:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB961371)-->"E:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB961373)-->"E:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB961501)-->"E:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB968537)-->"E:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB969059)-->"E:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB969898)-->"E:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB969947)-->"E:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB970238)-->"E:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB970430)-->"E:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB971468)-->"E:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB971486)-->"E:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB971557)-->"E:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB971633)-->"E:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB971657)-->"E:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB972270)-->"E:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB973346)-->"E:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB973354)-->"E:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB973507)-->"E:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB973525)-->"E:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB973869)-->"E:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB973904)-->"E:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB974112)-->"E:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB974318)-->"E:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB974392)-->"E:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB974571)-->"E:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB975025)-->"E:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB975467)-->"E:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB975560)-->"E:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB975561)-->"E:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB975713)-->"E:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB977816)-->"E:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB977914)-->"E:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB978037)-->"E:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB978262)-->"E:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB978338)-->"E:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB978601)-->"E:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB978706)-->"E:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB979309)-->"E:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB979683)-->"E:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB980232)-->"E:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Aggiornamento per Windows Internet Explorer 8 (KB971930)-->"E:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Aggiornamento per Windows Internet Explorer 8 (KB976662)-->"E:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Aggiornamento per Windows Internet Explorer 8 (KB976749)-->"E:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Aggiornamento per Windows Internet Explorer 8 (KB980182)-->"E:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB951072-v2)-->"E:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB951978)-->"E:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB955759)-->"E:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB955839)-->"E:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB967715)-->"E:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB968389)-->"E:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB971737)-->"E:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB973687)-->"E:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB973815)-->"E:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows Internet Explorer 7 (KB947864)-->"E:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Aggiornamento rapido per Windows Media Player 11 (KB939683)-->"E:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows XP (KB952287)-->"E:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows XP (KB961118)-->"E:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows XP (KB970653-v3)-->"E:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows XP (KB976098-v2)-->"E:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows XP (KB979306)-->"E:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
AnyDVD-->"E:\Programmi\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="E:\Programmi\SlySoft\AnyDVD"
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
a-squared Free 4.5-->"E:\Programmi\a-squared Free\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->E:\Programmi\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Canon Camera Access Library-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "E:\Programmi\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "E:\Programmi\Canon\CSCLIB\Uninst.ini"
Canon EOS 5D WIA Driver-->E:\Programmi\File comuni\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BB3AB664-D92B-4CB5-8B3E-D841841F4E68} /l1033
CANON iMAGE GATEWAY Task for ZoomBrowser EX-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\ZoomBrowser EX\Program\CRWUnInstall.ini"
Canon Internet Library for ZoomBrowser EX-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\ZoomBrowser EX\Program\CIGUnInstall.ini"
Canon RAW Image Task for ZoomBrowser EX-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\RAW Image Task\Uninst.ini"
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities CameraWindow-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities Digital Photo Professional 3.4-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities Original Data Security Tools-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\Original Data Security Tools\Uninst.ini"
Canon Utilities PhotoStitch-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\PhotoStitch\Uninst.ini"
Canon Utilities Picture Style Editor-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\Picture Style Editor\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities WFT-E1/E2/E3 Utility-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\WFT Utility\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility-->"E:\Programmi\File comuni\Canon\UIW\1.4.0.0\Uninst.exe" "F:\Canon\ZoomBrowser EX MCU\Uninst.ini"
CardRd81-->MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCHelp-->MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
CloneCD-->"E:\Programmi\SlySoft\CloneCD\ccd-uninst.exe" /D="E:\Programmi\SlySoft\CloneCD"
CloneDVD2-->"E:\Programmi\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="E:\Programmi\Elaborate Bytes\CloneDVD2"
Cobian Backup 10-->F:\Downloads\Cobian Backup\cbUninstall.exe
Connect-->MsiExec.exe /I{B29AD377-CC12-490A-A480-1452337C618D}
CR2-->MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Creative DVD Audio Plugin for Audigy Series-->"E:\Programmi\Creative\CTDPlugin\CTUIDVD.exe " -u
Danea Family Manager 4.0-->F:\DANEAF~1\UNWISE.EXE F:\DANEAF~1\INSTALL.LOG
Duke Nukem - Manhattan Project-->E:\PROGRA~1\FILECO~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8B9336DB-8D04-4325-BAFC-C7141D8E6CA1} /l1040
eMule AdunanzA-->F:\Adunanza\AdunanzA_Uninstaller.exe
ERUNT 1.1j-->E:\Programmi\ERUNT\unins000.exe
ESSAdpt-->MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP-->MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCAM-->MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT-->MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL-->MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp-->MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC-->MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTUTOR-->MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht-->MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot-->MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Google Earth-->MsiExec.exe /X{08C0729E-3E50-11DF-9D81-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"E:\Programmi\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hauppauge Italian Help Files and Resources-->E:\PROGRA~1\WinTV\UNHLPita.EXE E:\PROGRA~1\WinTV\WTV2Kita.LOG
Hauppauge TvTv Sync-->E:\PROGRA~1\WinTV\SCHEDU~1\EPG\TvTv\uniTvTv.exe E:\PROGRA~1\WinTV\SCHEDU~1\EPG\TvTv\uniTvTv.log
Hauppauge WinTV Scheduler-->E:\PROGRA~1\WinTV\SCHEDU~1\uniSCHED.exe E:\PROGRA~1\WinTV\SCHEDU~1\uniSCHED.log
Hauppauge WinTV Soft PVR-->E:\PROGRA~1\WinTV\UNSftPVR.EXE E:\PROGRA~1\WinTV\softpvr.LOG
Hauppauge WinTV2000-->E:\PROGRA~1\WinTV\UNTV32.EXE E:\PROGRA~1\WinTV\WINTV2K.LOG
HLPCCTR-->MsiExec.exe /I{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}
HLPIndex-->MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK-->MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPSFO-->MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->E:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->E:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"E:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InCD-->E:\WINDOWS\NuNInst.exe /UNINSTALL
InterVideo FilterSDK for Hauppauge-->RunDll32 E:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "E:\Programmi\InstallShield Installation Information\{2227E1FA-01F5-483C-AB0E-2A308E900B3D}\setup.exe" REMOVEALL
InterVideo WinDVD 5-->"E:\Programmi\InstallShield Installation Information\{1B399A41-C1D0-40A2-9E4F-095868EFAF01}\setup.exe" REMOVEALL
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
Java™ 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
K-Lite Codec Pack 2.82 Full-->"F:\Downloads\Utilities\K-Lite Codec Pack\unins000.exe"
Kodak EasyShare software-->E:\Documents and Settings\All Users\Dati applicazioni\Kodak\EasyShareSetup\$SETUP_9_142578\Setup.exe /APR-REMOVE
KSU-->MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
kuler-->MsiExec.exe /I{098727E1-775A-4450-B573-3F441F1CA243}
Labtec Mouse V2.1-->E:\Programmi\Labtec\Mouse\2.1\uninst00.exe
Lexmark 3400 Series-->E:\Programmi\Lexmark 3400 Series\Install\x86\Uninst.exe
Lexmark Barra degli strumenti-->regsvr32.exe /s /u "E:\Programmi\Lexmark Toolbar\toolband.dll"
Magic Manager 9.0-->E:\WINDOWS\unvise32.exe f:\magic manager\uninstal.log
Malwarebytes' Anti-Malware-->"E:\Programmi\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->E:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"E:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"E:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"E:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional con FrontPage-->MsiExec.exe /I{90280410-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"E:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MP3 Player Utilities 3.5.02-->MsiExec.exe /I{0DE7211B-A7CB-4112-8D62-142A0EBDFAD9}
MP3 Player Utilities 3.68-->MsiExec.exe /I{7784A172-61F1-445E-8368-601607E0DD22}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NBA LIVE 06-->F:\NBA LIVE 06\EAUninstall.exe
Nero 6 Ultra Edition-->F:\Nero\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital-->E:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player-->E:\WINDOWS\UNNMP.exe /UNINSTALL
NeroMIX-->E:\WINDOWS\UNNMIX.exe /UNINSTALL
NeroNET-->E:\WINDOWS\UNNeroNET.exe /UNINSTALL
NET-PRINT easyUp 3.3.23.1250-->"F:\NET-PRINT easyUp\unins000.exe"
NHL 2005-->F:\NHL 2005\EAUninstall.exe
Notifier-->MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NVIDIA Drivers-->E:\WINDOWS\system32\nvudisp.exe UninstallGUI
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Online Manuals for WinTV (English)-->E:\PROGRA~1\WinTV\UNTVmans.exe E:\PROGRA~1\WinTV\WinTVMan.LOG
OTtBP-->MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK-->MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
PCDLNCH-->MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
PDF Settings CS4-->MsiExec.exe /I{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
Photoshop Camera Raw-->MsiExec.exe /I{CC75AB5C-2110-4A7F-AF52-708680D22FE8}
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
RealPlayer-->E:\Programmi\File comuni\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SFR-->MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2-->MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
Sid Meier's Civilization 4-->RunDll32 E:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "E:\Programmi\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x10 -removeonly
Skype 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Soluzioni per l'invio di fax Lexmark-->E:\Programmi\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
SopCast 2.0.4-->F:\Downloads\Sopcast\uninst.exe
SoundMAX-->RunDll32 E:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Programmi\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy-->"F:\Spybot - Search & Destroy\unins000.exe"
Suite Shared Configuration CS4-->MsiExec.exe /I{842B4B72-9E8F-4962-B3C1-1C422A5C4434}
Sygate Personal Firewall-->MsiExec.exe /X{59BCEEEC-3C0F-4A02-80FC-0B8A6E26B31F}
Thrustmaster Force Feedback Driver-->RunDll32 E:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "E:\Programmi\InstallShield Installation Information\{8F5A0981-5CDC-41D0-BCA2-AD3B777FC358}\setup.exe" -l0x10 -removeonly
TVAnts 1.0-->F:\DOWNLO~1\TVAnts\UNWISE.EXE F:\DOWNLO~1\TVAnts\INSTALL.LOG
TVUPlayer 2.4.5.1-->F:\Downloads\TVUPlayer\uninst.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->E:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VCAMCEN-->MsiExec.exe /I{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}
VideoLAN VLC media player 0.8.6d-->F:\Downloads\VLC\uninstall.exe
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Internet Explorer 8-->"E:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"E:\Programmi\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"E:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"E:\Programmi\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"E:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"E:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->E:\Programmi\WinRAR\uninstall.exe
WinZip-->"E:\Programmi\WinZip\WINZIP32.EXE" /uninstall

======Hosts File======

127.0.0.1 mpa.one.microsoft.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: PC-CASA-XP
Event Code: 126
Message: Link Partner is not Auto-Negotiation able

Record Number: 14489
Source Name: yukonwxp
Time Written: 20100325213714.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 138
Message: Autonegotiation Mode 2

Record Number: 14488
Source Name: yukonwxp
Time Written: 20100325213714.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 6005
Message: Il servizio Registro eventi stato avviato.

Record Number: 14487
Source Name: EventLog
Time Written: 20100325213657.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 6009
Message: Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Uniprocessor Free.

Record Number: 14486
Source Name: EventLog
Time Written: 20100325213657.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 6006
Message: Il servizio Registro eventi stato arrestato.

Record Number: 14485
Source Name: EventLog
Time Written: 20100325002316.000000+060
Event Type: Informazione
User:

=====Application event log=====

Computer Name: PC-CASA-XP
Event Code: 1800
Message: Servizio Centro sicurezza PC Windows avviato.

Record Number: 7960
Source Name: SecurityCenter
Time Written: 20100320120217.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 1
Message:
Record Number: 7959
Source Name: Bonjour Service
Time Written: 20100320120211.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 0
Message:
Record Number: 7958
Source Name: gusvc
Time Written: 20100320120207.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 0
Message:
Record Number: 7957
Source Name: gupdate
Time Written: 20100320120207.000000+060
Event Type: Informazione
User:

Computer Name: PC-CASA-XP
Event Code: 105
Message:
Record Number: 7956
Source Name: dcfssvc
Time Written: 20100320120207.000000+060
Event Type: Informazione
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;E:\Programmi\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 14 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0e00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;E:\Programmi\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=E:\Programmi\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 09:33:27
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: E:\DOCUME~1\Flu\IMPOST~1\Temp\uxdirkob.sys


---- System - GMER 1.0.15 ----

SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF58AFB30]
SSDT F7BF42BE ZwCreateKey
SSDT F7BF42B4 ZwCreateThread
SSDT F7BF42C3 ZwDeleteKey
SSDT F7BF42CD ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xF7341C22]
SSDT sptd.sys ZwEnumerateValueKey [0xF7341F9A]
SSDT F7BF42D2 ZwLoadKey
SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF58AF470]
SSDT sptd.sys ZwOpenKey [0xF734198E]
SSDT F7BF42A0 ZwOpenProcess
SSDT F7BF42A5 ZwOpenThread
SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF58AFC50]
SSDT sptd.sys ZwQueryKey [0xF7342064]
SSDT sptd.sys ZwQueryValueKey [0xF7341EFC]
SSDT F7BF42DC ZwReplaceKey
SSDT F7BF42D7 ZwRestoreKey
SSDT F7BF42C8 ZwSetValueKey
SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF58AF990]
SSDT F7BF42AF ZwTerminateProcess
SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF58AFD60]

---- Kernel code sections - GMER 1.0.15 ----

? E:\WINDOWS\system32\drivers\sptd.sys Impossibile accedere al file. Il file utilizzato da un altro processo.
? E:\WINDOWS\System32\Drivers\SPTD3069.SYS Impossibile accedere al file. Il file utilizzato da un altro processo.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F649B4F0 16 Bytes [95, A8, DA, 36, B9, 19, 32, ...]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F649B501 31 Bytes [A0, 49, F6, 92, 50, 46, 02, ...]
? E:\WINDOWS\System32\Drivers\dtscsi.sys Impossibile accedere al file. Il file utilizzato da un altro processo.
.text tcpip.sys!IPTransmit + 10FC EB07AD3A 6 Bytes CALL F711EC20 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 EB07C690 6 Bytes CALL F711EC20 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 EB092454 6 Bytes CALL F711EC20 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys ED79C3FD 7 Bytes CALL F711ED70 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text E:\Programmi\Avira\AntiVir Desktop\sched.exe[224] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01962862
.text E:\Programmi\Avira\AntiVir Desktop\sched.exe[224] WS2_32.dll!send 71A34C27 5 Bytes JMP 019626EE
.text E:\Programmi\Avira\AntiVir Desktop\sched.exe[224] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 019627E0
.text E:\Programmi\Avira\AntiVir Desktop\sched.exe[224] WS2_32.dll!recv 71A3676F 5 Bytes JMP 01962726
.text E:\Programmi\Avira\AntiVir Desktop\sched.exe[224] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 0196275E
.text E:\Programmi\Avira\AntiVir Desktop\avguard.exe[256] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01E02862
.text E:\Programmi\Avira\AntiVir Desktop\avguard.exe[256] WS2_32.dll!send 71A34C27 5 Bytes JMP 01E026EE
.text E:\Programmi\Avira\AntiVir Desktop\avguard.exe[256] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 01E027E0
.text E:\Programmi\Avira\AntiVir Desktop\avguard.exe[256] WS2_32.dll!recv 71A3676F 5 Bytes JMP 01E02726
.text E:\Programmi\Avira\AntiVir Desktop\avguard.exe[256] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01E0275E
.text E:\Programmi\Java\jre6\bin\jqs.exe[608] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01DF2862
.text E:\Programmi\Java\jre6\bin\jqs.exe[608] WS2_32.dll!send 71A34C27 5 Bytes JMP 01DF26EE
.text E:\Programmi\Java\jre6\bin\jqs.exe[608] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 01DF27E0
.text E:\Programmi\Java\jre6\bin\jqs.exe[608] WS2_32.dll!recv 71A3676F 5 Bytes JMP 01DF2726
.text E:\Programmi\Java\jre6\bin\jqs.exe[608] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01DF275E
.text F:\Sygate Firewall\smc.exe[1392] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01A02862
.text F:\Sygate Firewall\smc.exe[1392] WS2_32.dll!send 71A34C27 5 Bytes JMP 01A026EE
.text F:\Sygate Firewall\smc.exe[1392] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 01A027E0
.text F:\Sygate Firewall\smc.exe[1392] WS2_32.dll!recv 71A3676F 5 Bytes JMP 01A02726
.text F:\Sygate Firewall\smc.exe[1392] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01A0275E
.text E:\WINDOWS\Explorer.EXE[1672] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 015E2862
.text E:\WINDOWS\Explorer.EXE[1672] WS2_32.dll!send 71A34C27 5 Bytes JMP 015E26EE
.text E:\WINDOWS\Explorer.EXE[1672] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 015E27E0
.text E:\WINDOWS\Explorer.EXE[1672] WS2_32.dll!recv 71A3676F 5 Bytes JMP 015E2726
.text E:\WINDOWS\Explorer.EXE[1672] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 015E275E
.text E:\Programmi\a-squared Free\a2service.exe[2012] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00454E05 E:\Programmi\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text E:\Programmi\Canon\CAL\CALMAIN.exe[2696] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00DB2862
.text E:\Programmi\Canon\CAL\CALMAIN.exe[2696] WS2_32.dll!send 71A34C27 5 Bytes JMP 00DB26EE
.text E:\Programmi\Canon\CAL\CALMAIN.exe[2696] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00DB27E0
.text E:\Programmi\Canon\CAL\CALMAIN.exe[2696] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00DB2726
.text E:\Programmi\Canon\CAL\CALMAIN.exe[2696] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00DB275E
.text E:\Programmi\iPod\bin\iPodService.exe[3212] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00BA2862
.text E:\Programmi\iPod\bin\iPodService.exe[3212] WS2_32.dll!send 71A34C27 5 Bytes JMP 00BA26EE
.text E:\Programmi\iPod\bin\iPodService.exe[3212] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00BA27E0
.text E:\Programmi\iPod\bin\iPodService.exe[3212] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00BA2726
.text E:\Programmi\iPod\bin\iPodService.exe[3212] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00BA275E
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 0220290A
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 022028BA
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 0220287E
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B5505 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038DAC4 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 4048473F E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40484671 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 404846DC E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40484542 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 404845A4 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 404847A2 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40484606 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] WININET.dll!InternetReadFile 3F9E654B 5 Bytes JMP 02202CF3
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] WININET.dll!InternetCloseHandle 3F9E9088 5 Bytes JMP 02202D4F
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] WININET.dll!HttpOpenRequestA 3F9ED508 2 Bytes JMP 02202AC2
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] WININET.dll!HttpOpenRequestA + 3 3F9ED50B 2 Bytes [81, C2]
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] WININET.dll!InternetConnectA 3F9EDEAE 5 Bytes JMP 02202926
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 022030EB
.text E:\Programmi\Internet Explorer\iexplore.exe[3348] WININET.dll!HttpSendRequestA 3F9FEE89 5 Bytes JMP 02202B71
.text E:\Programmi\Lexmark 3400 Series\ezprint.exe[3620] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 02C82862
.text E:\Programmi\Lexmark 3400 Series\ezprint.exe[3620] WS2_32.dll!send 71A34C27 5 Bytes JMP 02C826EE
.text E:\Programmi\Lexmark 3400 Series\ezprint.exe[3620] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 02C827E0
.text E:\Programmi\Lexmark 3400 Series\ezprint.exe[3620] WS2_32.dll!recv 71A3676F 5 Bytes JMP 02C82726
.text E:\Programmi\Lexmark 3400 Series\ezprint.exe[3620] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 02C8275E
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 0293290A
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 029328BA
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 0293287E
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B5505 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 40389A75 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!CallNextHookEx 7E3AB3C6 5 Bytes JMP 4037D101 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038DAC4 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!UnhookWindowsHookEx 7E3AD5F3 5 Bytes JMP 402F466E E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 4048473F E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40484671 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 404846DC E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40484542 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 404845A4 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 404847A2 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40484606 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 4038DB20 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] ole32.dll!OleLoadFromStream 774F9C85 5 Bytes JMP 40484AA7 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] WININET.dll!InternetReadFile 3F9E654B 5 Bytes JMP 02932CF3
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] WININET.dll!InternetCloseHandle 3F9E9088 5 Bytes JMP 02932D4F
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] WININET.dll!HttpOpenRequestA 3F9ED508 2 Bytes JMP 02932AC2
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] WININET.dll!HttpOpenRequestA + 3 3F9ED50B 2 Bytes [F4, C2]
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] WININET.dll!InternetConnectA 3F9EDEAE 5 Bytes JMP 02932926
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 029330EB
.text E:\Programmi\Internet Explorer\iexplore.exe[3688] WININET.dll!HttpSendRequestA 3F9FEE89 5 Bytes JMP 02932B71
.text E:\Programmi\File comuni\Java\Java Update\jusched.exe[3760] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00E92862
.text E:\Programmi\File comuni\Java\Java Update\jusched.exe[3760] WS2_32.dll!send 71A34C27 5 Bytes JMP 00E926EE
.text E:\Programmi\File comuni\Java\Java Update\jusched.exe[3760] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00E927E0
.text E:\Programmi\File comuni\Java\Java Update\jusched.exe[3760] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00E92726
.text E:\Programmi\File comuni\Java\Java Update\jusched.exe[3760] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00E9275E
.text E:\Programmi\iTunes\iTunesHelper.exe[3776] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 017D2862
.text E:\Programmi\iTunes\iTunesHelper.exe[3776] WS2_32.dll!send 71A34C27 5 Bytes JMP 017D26EE
.text E:\Programmi\iTunes\iTunesHelper.exe[3776] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 017D27E0
.text E:\Programmi\iTunes\iTunesHelper.exe[3776] WS2_32.dll!recv 71A3676F 5 Bytes JMP 017D2726
.text E:\Programmi\iTunes\iTunesHelper.exe[3776] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 017D275E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F92450
Device \FileSystem\Fastfat \FatCdrom 86AC8280
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F920E8
Device \Driver\dmio \Device\DmControl\DmConfig 86F920E8
Device \Driver\dmio \Device\DmControl\DmPnP 86F920E8
Device \Driver\dmio \Device\DmControl\DmInfo 86F920E8
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device pci.sys (Enumeratore PCI Plug and Play per NT/Microsoft Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FDB2B0
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FDB2B0
Device \Driver\Cdrom \Device\CdRom0 86C6ED18
Device \FileSystem\Rdbss \Device\FsWrap 86B950E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 86FDB2B0
Device \Driver\Cdrom \Device\CdRom1 86C6ED18
Device \Driver\atapi \Device\Ide\IdePort0 [F7291B40] atapi.sys[unknown section] {MOV EAX, 0x86f92dd0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7351e12; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [F7291B40] atapi.sys[unknown section] {MOV EAX, 0x86f92dd0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7351e12; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 [F7291B40] atapi.sys[unknown section] {MOV EAX, 0x86f92dd0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7351e12; RET }
Device \Driver\USBSTOR \Device\00000075 86A34328
Device \Driver\USBSTOR \Device\00000077 86A34328
Device \Driver\NetBT \Device\NetBt_Wins_Export 86A37DC8
Device \Driver\00000040 \Device\0000004a sptd.sys
Device \FileSystem\InCDfs \Device\InCDfsComm 869617F8
Device \Driver\NetBT \Device\NetbiosSmb 86A37DC8
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Disk \Device\Harddisk0\DR0 86F92688
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Disk \Device\Harddisk1\DR4 86F92688
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+5 86F92688
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86C740E8
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86C740E8
Device \FileSystem\Npfs \Device\NamedPipe 86A9C6D8
Device \Driver\Ftdisk \Device\FtControl 86FDB2B0
Device \FileSystem\Msfs \Device\Mailslot 86A679F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3625582B-18DB-4478-B043-20844E7E38DC} 86A37DC8
Device \Driver\viasraid \Device\Scsi\viasraid1 86F92BF8
Device \Driver\viasraid \Device\Scsi\viasraid1 869F3068
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 86F92BF8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 869F3068
Device \Driver\dtscsi \Device\Scsi\dtscsi1 86BAD288
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 86BAD288
Device \FileSystem\Fastfat \Fat 86AC8280

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\InCDfs \GLOBAL??\BsUDF 869617F8
Device \FileSystem\Cdfs \Cdfs 86A27310

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Daemon Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x21 0xCC 0x71 0x91 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x32 0x73 0xC7 0x53 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0x82 0x74 0xB4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Daemon Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x21 0xCC 0x71 0x91 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x32 0x73 0xC7 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD5 0x6E 0x02 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 -1700233238
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1136358979
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 957530644
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Daemon Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFF 0x6B 0x00 0xC6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x32 0x73 0xC7 0x53 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0x82 0x74 0xB4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Daemon Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFF 0x6B 0x00 0xC6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x32 0x73 0xC7 0x53 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0x82 0x74 0xB4 ...

---- EOF - GMER 1.0.15 ----


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:11 AM

Posted 11 May 2010 - 03:26 AM

Hello, plunio.
QUOTE
Note that my hard disk is partitioned in this way:
C:\ with OS Win2k, that I never use and I did not include in GMER Scan (please confirm it is OK);
E:\ with OS WinXP, the one I always work with and where I am experiencing all the issues;
F:\ just for data, not included in GMER Scan

Yes that's perfectly fine. Thanks for letting me know smile.gif

P2P Program Warning!

eMule

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to run Defogger
  1. Please download DeFogger to your desktop.
  2. Double click DeFogger to run the tool.
  3. The application window will appear
  4. Click the Disable button to disable your CD Emulation drivers
  5. Click Yes to continue
  6. A 'Finished!' message will appear
  7. Click OK
  8. DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


NEXT:

We need to run HAMeb_check
  1. Download HAMeb_check.exe to your desktop
  2. Run HAMeb_check
  3. Post the contents of the resulting log.

In your next reply, please include the following:
  • defogger_disable log (if applicable)
  • HAMeb_check log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 plunio

plunio
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 11 May 2010 - 01:54 PM

Hello, aommaster.

Got the message about eMule.
TeaTimer was already disabled.
DeFogger run without error messages.

Here is the log from HAMeb_check:

E:\Documents and Settings\Flu\Desktop\HAMeb_check.exe
11/05/2010 at 20.44.00,51

Account attivo S
Appartenenze al gruppo locale *Administrators

~~ Checking profile list ~~

S-1-5-21-1004336348-1644491937-725345543-1008
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A88998]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5413:TCP"=5413:TCP:*:Enabled:Services
"9326:TCP"=9326:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5413:TCP"=5413:TCP:*:Enabled:Services
"9326:TCP"=9326:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:11 AM

Posted 11 May 2010 - 03:13 PM

Hello, plunio.
Fantastic smile.gif The tool above confirmed that you had HelpASsistant on. This next tool will hopefully remove that infection.

We need to run HelpAsst_mebroot_fix
  1. Download HelpAsst_mebroot_fix.exe and save it to your desktop.
  2. Close out all other open programs and windows.
  3. Run to run HelpAsst_mebroot_fix and follow any prompts.
  4. If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  5. Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
    helpasst -mbrt
    Note: Make sure you leave a space between helpasst and -mbrt
  6. When it completes, a log will open. Please post the contents of that log.
In the event the tool does not detect an MBR infection and completes do the following:
  1. Click Start>Run and type the following bolded command, then hit Enter.
    mbr -f
  2. Click Start>Run and run the mbr -f command a second time.
  3. Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
    Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
    helpasst -mbrt
    Note: Make sure you leave a space between helpasst and -mbrt
  4. When it completes, a log will open. Please post the contents of that log.
**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).


In your next reply, please include the following:
  • HelpAsst_mebroot_fix log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 plunio

plunio
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 11 May 2010 - 03:53 PM

Hello, aommaster.
I'm afraid we will have to spend some more time on it...
HelpAsst_mebroot_fix did not find an MBR infection. Here is the log:

E:\Documents and Settings\Flu\Desktop\HelpAsst_mebroot_fix.exe
11/05/2010 at 22.28.22,42

Could not determine language ~ no action taken on account ~ please consult noahdfear

00000410
Nome utente HelpAssistant
Nome completo HelpAssistant
Commento
Commento utente
Codice del paese 000 (Predefinito del sistema)
Account attivo S
Scadenza account Mai

Ultima impostazione password 5/11/2010 8:42 PM
Scadenza password Mai
Password cambiabile 5/11/2010 8:42 PM
Password richiesta S
L'utente pu cambiare la password S

Workstation consentite Tutti
Script di accesso
Profilo utente
Home directory
Ultimo accesso 5/11/2010 8:42 PM

Ore di accesso consentito Tutti

Appartenenze al gruppo locale *Administrators
Appartenenze al gruppo globale *Nessuno
Esecuzione comando riuscita.


~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: E:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5413:TCP"=-
"9326:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5413:TCP"=-
"9326:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1004336348-1644491937-725345543-1008
HelpAssistant profile directory exists at E:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All E:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 11/05/2010 at 22.43.33,29

Account attivo S
Appartenenze al gruppo locale *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A68DA8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1004336348-1644491937-725345543-1008
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5413:TCP"=5413:TCP:*:Enabled:Services
"9326:TCP"=9326:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5413:TCP"=5413:TCP:*:Enabled:Services
"9326:TCP"=9326:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:11 AM

Posted 11 May 2010 - 05:48 PM

Hi!

Could you please verify what language the profile is in? Is it Italian?

Thanks smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 plunio

plunio
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 11 May 2010 - 06:19 PM

Yes, I suppose it is Italian..
Where do I have to check, to be sure?

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:11 AM

Posted 11 May 2010 - 06:27 PM

Hi!

This should be the language that you installed your OS in. e.g:
QUOTE
Aggiornamento della protezione per Windows XP (KB978706)-->"E:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"

If that is in Italian, then it's fine, you won't need a more formal way of checking.

However, if you're not familiar with the language, then please do the following:
  1. Click Start, and then click Search.
  2. Click All files and folders.
  3. In the All or part of the file name box, type winver.exe, and then click Search.
  4. When the file is located, right-click it, and then click Properties.
  5. Click the Version tab.
  6. Under Item name, click Language.
  7. The language version information is displayed under Value.

The language version information is displayed under Value

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 plunio

plunio
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 11 May 2010 - 06:32 PM

OK, then it's definitely Italian..
smile.gif

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:11 AM

Posted 11 May 2010 - 08:28 PM

Okay, no problem.

Please do this:
  1. Click Start>Run, and type the following cmd
  2. On the command prompt, type the following commands in separated by an enter:
    net user helpassistant /active:no
    net localgroup Administrators helpassistant /delete

Now try running the tool again.

Now:
  1. Please download MBR.exe and save it to your root directory (usually C:\).
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    C:\mbr.exe -f
  3. Press enter.
  4. Repeat the mbr.exe -f command one more time
  5. An mbr.log should be created in your root directory. Please post its contents in your next reply.

Edited by aommaster, 11 May 2010 - 08:29 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 plunio

plunio
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 12 May 2010 - 02:07 AM

Hello, aommaster.

Let me ask one (probably stupid) question: when you write

QUOTE
Now try running the tool again.


do you refer to mbr.exe (just saved in my E:\ directory) or to HelpAsst_mebroot_fix (back to previous posts)?

Thank for your patience

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:11 AM

Posted 12 May 2010 - 02:09 AM

Hi!

There are no such things as stupid questions (maybe just stupid answers hysterical.gif)

Sorry, I meant HelpAsst_mebroot_fix smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 plunio

plunio
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 12 May 2010 - 02:35 AM

Hi, aommaster.

So I run again HelpAsst_mebroot_fix and then mbr.exe as required.

Here are the 2 logs:

E:\Documents and Settings\Flu\Desktop\HelpAsst_mebroot_fix.exe
12/05/2010 at 9.07.34,59

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: E:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5413:TCP"=-
"9326:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5413:TCP"=-
"9326:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1004336348-1644491937-725345543-1008
HelpAssistant profile directory exists at E:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All E:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 12/05/2010 at 9.24.21,26

Account attivo S
Appartenenze al gruppo locale *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86AD5E90]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1004336348-1644491937-725345543-1008
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5413:TCP"=5413:TCP:*:Enabled:Services
"9326:TCP"=9326:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5413:TCP"=5413:TCP:*:Enabled:Services
"9326:TCP"=9326:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users