Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wupdate.exe Adware & HJT Logs


  • This topic is locked This topic is locked
6 replies to this topic

#1 Corrupted

Corrupted

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 27 May 2010 - 03:44 PM

Hi all!

I noticed that some really bad adware was running, it's called wupdate.exe and it was in C:\Windows\system32. Though i delete it it is still here, in fact after a bit it 'regenerates' itself and starts re-executing.

I had these HJT logs:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:44:09, on 27/05/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO DI RETE')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...t/wlscctrl2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 4979 bytes


What can i fix for:

A) Deleting the threat, if it's possible, by HJT
cool.gif Encreasing performance (especially deleting garbage on startup)

?


Also i'd really like to remove this awful adware.. i tried everything: Ad-Aware, Spybot, Malware Bytes, Avira, One Safety Scanner Online but it's still here!

BC AdBot (Login to Remove)

 


#2 Corrupted

Corrupted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 28 May 2010 - 06:24 AM

MBAM Logs:

CODE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4151

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

28/05/2010 13:11:25
mbam-log-2010-05-28 (13-11-25).txt

Tipo di scansione: Scansione veloce
Elementi esaminati: 121780
Tempo trascorso: 3 minuti, 27 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
(Non sono stati rilevati elementi nocivi)


It's italian, though it says that there aren't infections at all.


GMER Logs:

CODE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-28 13:01:31
Windows 6.1.7600
Running: xqposw6o.exe; Driver: C:\Users\Utente\AppData\Local\Temp\fwryrpog.sys


---- System - GMER 1.0.15 ----

SSDT            940F6E24                                                                                  ZwCreateThread
SSDT            940F6E10                                                                                  ZwOpenProcess
SSDT            940F6E15                                                                                  ZwOpenThread
SSDT            940F6E1F                                                                                  ZwTerminateProcess

INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E41AF8
INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E41104
INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E413F4
INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E29634
INT 0xD2        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E29898
INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E411DC
INT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E41958
INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E416F8
INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E41F2C
INT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82E421A8

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                           82A5A599 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                    82A7EF52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET; MOV ECX, CR3}
.text           ntkrnlpa.exe!RtlSidHashLookup + 34C                                                       82A8685C 4 Bytes  [24, 6E, 0F, 94]
.text           ntkrnlpa.exe!RtlSidHashLookup + 4E8                                                       82A869F8 4 Bytes  [10, 6E, 0F, 94] {ADC [ESI+0xf], CH; XCHG ESP, EAX}
.text           ntkrnlpa.exe!RtlSidHashLookup + 508                                                       82A86A18 1 Byte  [15]
.text           ntkrnlpa.exe!RtlSidHashLookup + 508                                                       82A86A18 4 Bytes  [15, 6E, 0F, 94]
.text           ntkrnlpa.exe!RtlSidHashLookup + 7B8                                                       82A86CC8 4 Bytes  [1F, 6E, 0F, 94]
.text           peauth.sys                                                                                9B210C9D 28 Bytes  [04, 92, 0D, 04, 03, 04, E6, ...]
.text           peauth.sys                                                                                9B210CC1 28 Bytes  [04, 92, 0D, 04, 03, 04, E6, ...]
PAGE            peauth.sys                                                                                9B216B9B 72 Bytes  [60, 41, 98, 9D, CF, 5D, E2, ...]
PAGE            peauth.sys                                                                                9B216BEC 111 Bytes  [EE, A9, 05, 53, A7, 69, D7, ...]
PAGE            peauth.sys                                                                                9B216E20 101 Bytes  [09, 51, 98, C6, 81, 30, E4, ...]
PAGE            ...                                                                                      

---- Devices - GMER 1.0.15 ----

Device          \Driver\ACPI_HAL \Device\00000043                                                         halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume6                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




HJT Logs:

CODE
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:14:53, on 28/05/2010
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO DI RETE')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/it-it/wlscctrl2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 4851 bytes


I fixed the 'O13 Goopher prefix' line and the ones of Internet Explorer with empty value, i didn't know if had to touch it or not to touch it.. I'm sorry, but i hate this crappy adware!

'I've the costant fear that something's always near' Iron Maiden - Fear of the Dark

#3 Corrupted

Corrupted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 28 May 2010 - 09:56 AM

up!

#4 Corrupted

Corrupted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 28 May 2010 - 12:53 PM

I ran ComboFix, it deleted some files, i waited also that wupdate.exe re-appeared in the C:\Windows\system32 folder and it was deleted by ComboFix, and some other files too (i hope they are related to wupdate and his regeneration).

However, here it is the log!

ComboFix 10-05-28.01 - Utente 28/05/2010 19:10:25.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.39.1040.18.3515.2387 [GMT 2:00]
Eseguito da: c:\users\Utente\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system\VI30AUT.DLL
c:\windows\system32\%appdata%
c:\windows\wupdate.exe

----- BITS: Possibili siti infetti -----

hxxp://www.search-up.com
.
((((((((((((((((((((((((( Files Creati Da 2010-04-28 al 2010-05-28 )))))))))))))))))))))))))))))))))))
.

2010-05-28 12:49 . 2010-05-28 14:45 -------- d-----w- c:\users\Utente\AppData\Roaming\TeamViewer
2010-05-28 12:49 . 2010-05-28 12:49 -------- d-----w- c:\program files\TeamViewer
2010-05-28 11:04 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 11:04 . 2010-05-28 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 11:04 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 20:42 . 2010-05-27 20:42 388096 ----a-r- c:\users\Utente\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-27 19:06 . 2010-05-27 19:41 -------- dc----w- c:\windows\system32\DRVSTORE
2010-05-27 19:06 . 2010-05-27 19:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-27 19:03 . 2010-05-27 19:03 -------- d-----w- c:\users\Utente\AppData\Roaming\Malwarebytes
2010-05-27 19:03 . 2010-05-27 19:41 -------- d-----w- c:\programdata\Lavasoft
2010-05-27 19:02 . 2010-05-27 19:02 -------- d-----w- c:\programdata\Malwarebytes
2010-05-27 18:54 . 2010-05-27 18:57 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-27 18:00 . 2010-05-27 18:00 -------- d-----r- C:\comment.htt
2010-05-27 18:00 . 2010-05-27 18:00 2 --shatr- c:\windows\winstart.bat
2010-05-27 13:05 . 2010-05-27 13:05 -------- d-----w- c:\program files\Common Files\SourceTec
2010-05-27 13:05 . 2010-05-27 13:05 -------- d-----w- c:\program files\SourceTec
2010-05-27 12:30 . 2010-05-27 12:30 -------- d-----w- c:\program files\HydraIRC
2010-05-27 12:28 . 2010-05-27 12:29 -------- d-----w- c:\users\Utente\AppData\Roaming\mIRC
2010-05-26 10:51 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 17:10 . 2010-05-24 17:10 -------- d-----w- c:\program files\Trend Micro
2010-05-23 19:51 . 2010-05-25 13:01 -------- d-----w- c:\users\Utente\AppData\Roaming\vlc
2010-05-23 19:50 . 2010-05-23 19:50 -------- d-----w- c:\program files\VideoLAN
2010-05-21 13:13 . 2010-05-21 13:31 -------- d-----w- c:\users\Utente\AppData\Roaming\Dev-Cpp
2010-05-21 12:50 . 2010-05-21 12:50 253952 ------w- c:\windows\Setup1.exe
2010-05-21 12:50 . 2010-05-21 12:50 74752 ----a-w- c:\windows\ST6UNST.EXE
2010-05-20 19:01 . 2010-05-20 21:00 -------- d-----w- C:\Dev-Cpp
2010-05-17 12:45 . 2010-05-17 12:47 -------- d-----w- c:\users\Utente\AppData\Roaming\IcoFX
2010-05-17 12:45 . 2010-05-17 12:46 -------- d-----w- c:\program files\IcoFX 1.6
2010-05-15 15:38 . 2010-05-15 15:38 -------- d-----w- c:\windows\Sun
2010-05-15 13:57 . 2010-05-15 13:57 -------- d-----w- c:\users\Utente\Office Genuine Advantage
2010-05-13 15:15 . 2003-11-17 10:49 154624 ----a-w- c:\windows\system32\fmod.dll
2010-05-13 15:15 . 2003-06-26 16:38 94208 ----a-w- c:\windows\system32\id3v23x.dll
2010-05-13 15:15 . 2002-01-05 13:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-05-12 11:00 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 20:59 . 2010-05-07 20:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-07 20:59 . 2010-05-08 22:08 -------- d-----w- c:\users\Utente\AppData\Roaming\skypePM
2010-05-07 20:57 . 2010-05-08 22:43 -------- d-----w- c:\users\Utente\AppData\Roaming\Skype
2010-05-07 20:57 . 2010-05-25 18:22 -------- d-----r- c:\program files\Skype
2010-05-07 20:57 . 2010-05-07 20:57 -------- d-----w- c:\program files\Common Files\Skype
2010-05-07 20:57 . 2010-05-07 20:57 -------- d-----w- c:\programdata\Skype
2010-05-06 13:53 . 2010-05-27 16:30 -------- d-----w- c:\users\Utente\AppData\Roaming\uTorrent
2010-05-04 21:26 . 2010-05-04 21:27 -------- d-----w- c:\windows\W7SBC
2010-05-04 21:26 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer_edit_w7sbc.exe
2010-05-04 21:26 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer_backup_w7sbc.exe
2010-05-04 21:26 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-05-04 14:45 . 2010-05-06 20:50 -------- d-----w- c:\users\Utente\AppData\Local\Google
2010-05-01 13:08 . 2010-05-01 13:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-01 09:19 . 1997-11-19 12:49 303616 ----a-w- c:\windows\IsUninst.exe
2010-05-01 08:48 . 2010-05-01 13:09 -------- d-----w- c:\program files\Common Files\Java
2010-05-01 08:48 . 2010-05-01 13:08 -------- d-----w- c:\program files\Java
2010-05-01 08:48 . 2010-05-01 08:48 -------- d-----w- c:\users\Utente\AppData\Local\Sun
2010-04-30 21:18 . 2010-04-30 21:18 -------- d-----w- c:\program files\CCleaner
2010-04-30 21:10 . 2010-05-28 11:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-30 20:08 . 2010-05-23 08:01 -------- d-----w- c:\program files\VB Decompiler Lite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 17:13 . 2010-04-26 20:49 -------- d-----w- c:\programdata\NVIDIA
2010-05-28 14:49 . 2010-04-27 13:19 -------- d-----w- c:\program files\Steam
2010-05-28 11:18 . 2009-07-14 08:21 689234 ----a-w- c:\windows\system32\perfh010.dat
2010-05-28 11:18 . 2009-07-14 08:21 124420 ----a-w- c:\windows\system32\perfc010.dat
2010-05-24 12:42 . 2010-04-27 14:51 -------- d-----w- c:\program files\Metin2
2010-05-17 12:47 . 2010-04-26 16:35 109224 ----a-w- c:\users\Utente\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-14 16:40 . 2010-05-14 16:40 0 ---ha-w- c:\windows\BITFD29.tmp
2010-05-13 16:40 . 2010-05-13 16:40 0 ---ha-w- c:\windows\BIT370B.tmp
2010-05-12 22:27 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-12 22:27 . 2010-04-26 15:23 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 16:40 . 2010-05-12 16:40 0 ---ha-w- c:\windows\BITF55A.tmp
2010-05-12 09:21 . 2010-04-26 16:20 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 16:40 . 2010-05-11 16:40 0 ---ha-w- c:\windows\BIT86C2.tmp
2010-05-10 16:40 . 2010-05-10 16:40 0 ---ha-w- c:\windows\BIT654C.tmp
2010-05-09 16:40 . 2010-05-09 16:40 0 ---ha-w- c:\windows\BITE403.tmp
2010-05-08 16:40 . 2010-05-08 16:40 0 ---ha-w- c:\windows\BITCDDF.tmp
2010-05-07 22:08 . 2010-05-07 22:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-05-07 16:40 . 2010-05-07 16:40 0 ---ha-w- c:\windows\BITF7CC.tmp
2010-05-06 16:40 . 2010-05-06 16:40 0 ---ha-w- c:\windows\BITF35A.tmp
2010-05-05 16:40 . 2010-05-05 16:40 0 ---ha-w- c:\windows\BIT8943.tmp
2010-05-04 16:40 . 2010-05-04 16:40 0 ---ha-w- c:\windows\BITC581.tmp
2010-05-03 16:40 . 2010-05-03 16:40 0 ---ha-w- c:\windows\BIT122E.tmp
2010-05-02 16:40 . 2010-05-02 16:40 0 ---ha-w- c:\windows\BIT7B4B.tmp
2010-05-01 16:40 . 2010-05-01 16:40 0 ---ha-w- c:\windows\BIT63B8.tmp
2010-04-30 16:40 . 2010-04-30 16:40 0 ---ha-w- c:\windows\BITF7F0.tmp
2010-04-29 16:40 . 2010-04-29 16:40 0 ---ha-w- c:\windows\BITC352.tmp
2010-04-28 16:40 . 2010-04-28 16:40 0 ---ha-w- c:\windows\BITF7E7.tmp
2010-04-28 14:24 . 2010-04-28 14:24 -------- d-----w- c:\program files\Web Publish
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\TFZVBXBH.DAT
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\KHB9R779.DAT
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\7HNV5779.DAT
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\VTV313ZF.DAT
2010-04-28 10:52 . 2010-04-28 10:52 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-27 16:40 . 2010-04-27 16:40 0 ---ha-w- c:\windows\BIT77E3.tmp
2010-04-27 13:40 . 2010-04-27 13:40 -------- d-----w- c:\programdata\Messenger Plus!
2010-04-27 13:19 . 2010-04-27 13:19 -------- d-----w- c:\program files\Common Files\Steam
2010-04-27 13:18 . 2010-04-27 13:18 -------- d-----w- c:\program files\Messenger Plus! Live
2010-04-27 12:43 . 2010-04-27 12:43 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-04-27 12:41 . 2010-04-26 15:25 -------- d-----w- c:\program files\Microsoft Works
2010-04-27 12:40 . 2010-04-27 12:40 -------- d-----w- c:\program files\MSXML 4.0
2010-04-26 20:50 . 2010-04-26 20:49 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-26 20:36 . 2010-04-26 20:36 -------- d-----w- c:\program files\Microsoft
2010-04-26 20:36 . 2010-04-26 20:36 -------- d-----w- c:\program files\Windows Live
2010-04-26 20:36 . 2010-04-26 20:36 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-26 20:32 . 2010-04-26 20:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-26 20:27 . 2010-04-26 20:27 -------- d-----w- c:\programdata\Avira
2010-04-26 20:27 . 2010-04-26 20:27 -------- d-----w- c:\program files\Avira
2010-04-26 20:18 . 2010-04-26 15:54 -------- d-----w- c:\programdata\Nero
2010-04-26 20:18 . 2010-04-26 15:54 -------- d-----w- c:\program files\Common Files\Nero
2010-04-26 20:18 . 2010-04-26 20:18 -------- d-----w- c:\users\Utente\AppData\Roaming\Nero
2010-04-26 19:52 . 2010-04-26 19:52 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-26 16:35 . 2010-04-26 16:35 47616 ----a-w- c:\windows\wupd.dll
2010-04-26 16:32 . 2010-04-26 16:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-26 16:03 . 2010-04-26 16:03 -------- d-----w- c:\programdata\Alwil Software
2010-04-26 15:25 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-04-26 15:25 . 2010-04-26 15:25 -------- d-----w- c:\program files\Microsoft.NET
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Preferiti
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Modelli
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Menu Avvio
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Documenti
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Dati applicazioni
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\program files\File comuni
2010-04-26 15:12 . 2010-04-26 15:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-03 16:27 . 2010-04-03 16:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 16:27 . 2010-04-03 16:27 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 16:27 . 2010-04-03 16:27 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
2010-04-03 16:27 . 2010-04-03 16:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 16:27 . 2010-04-03 16:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 16:27 . 2010-04-03 16:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-08 21:33 . 2010-04-26 18:46 427520 ----a-w- c:\windows\system32\vbscript.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-20 11:14 26192680 ----a-r- c:\program files\Skype\Phone\Skype.exe

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-05-21 173352]
S3 RTL8167;Driver Realtek 8167 NT;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

.
Contenuto della cartella 'Scheduled Tasks'

2010-05-28 c:\windows\Tasks\WindowsUpdate.job
- c:\windows\wupd.dll [2010-04-26 16:35]
.
.
------- Scansione supplementare -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: {21B7AD75-AE2D-4037-9D91-B58AB82E3423} = 212.216.112.112,212.216.172.62
FF - ProfilePath - c:\users\Utente\AppData\Roaming\Mozilla\Firefox\Profiles\tf7bq6hu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Ora fine scansione: 2010-05-28 19:15:29 - Il pc stato riavviato
ComboFix-quarantined-files.txt 2010-05-28 17:15

Pre-Run: 465.183.105.024 byte disponibili
Post-Run: 465.063.297.024 byte disponibili

- - End Of File - - 650BBAB346A717CA953C6EB9D83D3DAD

#5 Corrupted

Corrupted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 28 May 2010 - 01:06 PM

Here is the ComboFix one:

ComboFix 10-05-28.01 - Utente 28/05/2010 19:57:10.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.39.1040.18.3515.2524 [GMT 2:00]
Eseguito da: c:\users\Utente\Desktop\ComboFix.exe
Opzioni usate :: c:\users\Utente\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

FILE ::
"c:\windows\BIT122E.tmp"
"c:\windows\BIT370B.tmp"
"c:\windows\BIT63B8.tmp"
"c:\windows\BIT654C.tmp"
"c:\windows\BIT77E3.tmp"
"c:\windows\BIT7B4B.tmp"
"c:\windows\BIT86C2.tmp"
"c:\windows\BIT8943.tmp"
"c:\windows\BITC352.tmp"
"c:\windows\BITC581.tmp"
"c:\windows\BITCDDF.tmp"
"c:\windows\BITE403.tmp"
"c:\windows\BITF35A.tmp"
"c:\windows\BITF55A.tmp"
"c:\windows\BITF7CC.tmp"
"c:\windows\BITF7E7.tmp"
"c:\windows\BITF7F0.tmp"
"c:\windows\BITFD29.tmp"
"c:\windows\system32\ezsidmv.dat"
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\BIT122E.tmp
c:\windows\BIT370B.tmp
c:\windows\BIT63B8.tmp
c:\windows\BIT654C.tmp
c:\windows\BIT77E3.tmp
c:\windows\BIT7B4B.tmp
c:\windows\BIT86C2.tmp
c:\windows\BIT8943.tmp
c:\windows\BITC352.tmp
c:\windows\BITC581.tmp
c:\windows\BITCDDF.tmp
c:\windows\BITE403.tmp
c:\windows\BITF35A.tmp
c:\windows\BITF55A.tmp
c:\windows\BITF7CC.tmp
c:\windows\BITF7E7.tmp
c:\windows\BITF7F0.tmp
c:\windows\BITFD29.tmp
c:\windows\system32\ezsidmv.dat
c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Creati Da 2010-04-28 al 2010-05-28 )))))))))))))))))))))))))))))))))))
.

2010-05-28 17:59 . 2010-05-28 17:59 -------- d-----w- c:\users\Utente\AppData\Local\temp
2010-05-28 17:59 . 2010-05-28 17:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-28 17:59 . 2010-05-28 17:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-28 12:49 . 2010-05-28 14:45 -------- d-----w- c:\users\Utente\AppData\Roaming\TeamViewer
2010-05-28 12:49 . 2010-05-28 12:49 -------- d-----w- c:\program files\TeamViewer
2010-05-28 11:04 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 11:04 . 2010-05-28 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 11:04 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 20:42 . 2010-05-27 20:42 388096 ----a-r- c:\users\Utente\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-27 19:06 . 2010-05-27 19:41 -------- dc----w- c:\windows\system32\DRVSTORE
2010-05-27 19:06 . 2010-05-27 19:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-27 19:03 . 2010-05-27 19:03 -------- d-----w- c:\users\Utente\AppData\Roaming\Malwarebytes
2010-05-27 19:03 . 2010-05-27 19:41 -------- d-----w- c:\programdata\Lavasoft
2010-05-27 19:02 . 2010-05-27 19:02 -------- d-----w- c:\programdata\Malwarebytes
2010-05-27 18:54 . 2010-05-27 18:57 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-27 18:00 . 2010-05-27 18:00 -------- d-----r- C:\comment.htt
2010-05-27 13:05 . 2010-05-27 13:05 -------- d-----w- c:\program files\Common Files\SourceTec
2010-05-27 13:05 . 2010-05-27 13:05 -------- d-----w- c:\program files\SourceTec
2010-05-27 12:30 . 2010-05-27 12:30 -------- d-----w- c:\program files\HydraIRC
2010-05-27 12:28 . 2010-05-27 12:29 -------- d-----w- c:\users\Utente\AppData\Roaming\mIRC
2010-05-26 10:51 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 17:10 . 2010-05-24 17:10 -------- d-----w- c:\program files\Trend Micro
2010-05-23 19:51 . 2010-05-25 13:01 -------- d-----w- c:\users\Utente\AppData\Roaming\vlc
2010-05-23 19:50 . 2010-05-23 19:50 -------- d-----w- c:\program files\VideoLAN
2010-05-21 13:13 . 2010-05-21 13:31 -------- d-----w- c:\users\Utente\AppData\Roaming\Dev-Cpp
2010-05-21 12:50 . 2010-05-21 12:50 253952 ------w- c:\windows\Setup1.exe
2010-05-21 12:50 . 2010-05-21 12:50 74752 ----a-w- c:\windows\ST6UNST.EXE
2010-05-20 19:01 . 2010-05-20 21:00 -------- d-----w- C:\Dev-Cpp
2010-05-17 12:45 . 2010-05-17 12:47 -------- d-----w- c:\users\Utente\AppData\Roaming\IcoFX
2010-05-17 12:45 . 2010-05-17 12:46 -------- d-----w- c:\program files\IcoFX 1.6
2010-05-15 15:38 . 2010-05-15 15:38 -------- d-----w- c:\windows\Sun
2010-05-15 13:57 . 2010-05-15 13:57 -------- d-----w- c:\users\Utente\Office Genuine Advantage
2010-05-13 15:15 . 2003-11-17 10:49 154624 ----a-w- c:\windows\system32\fmod.dll
2010-05-13 15:15 . 2003-06-26 16:38 94208 ----a-w- c:\windows\system32\id3v23x.dll
2010-05-13 15:15 . 2002-01-05 13:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-05-12 11:00 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 20:59 . 2010-05-08 22:08 -------- d-----w- c:\users\Utente\AppData\Roaming\skypePM
2010-05-07 20:57 . 2010-05-08 22:43 -------- d-----w- c:\users\Utente\AppData\Roaming\Skype
2010-05-07 20:57 . 2010-05-25 18:22 -------- d-----r- c:\program files\Skype
2010-05-07 20:57 . 2010-05-07 20:57 -------- d-----w- c:\program files\Common Files\Skype
2010-05-07 20:57 . 2010-05-07 20:57 -------- d-----w- c:\programdata\Skype
2010-05-06 13:53 . 2010-05-27 16:30 -------- d-----w- c:\users\Utente\AppData\Roaming\uTorrent
2010-05-04 21:26 . 2010-05-04 21:27 -------- d-----w- c:\windows\W7SBC
2010-05-04 21:26 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer_edit_w7sbc.exe
2010-05-04 21:26 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer_backup_w7sbc.exe
2010-05-04 21:26 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-05-04 14:45 . 2010-05-06 20:50 -------- d-----w- c:\users\Utente\AppData\Local\Google
2010-05-01 13:08 . 2010-05-01 13:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-01 09:19 . 1997-11-19 12:49 303616 ----a-w- c:\windows\IsUninst.exe
2010-05-01 08:48 . 2010-05-01 13:09 -------- d-----w- c:\program files\Common Files\Java
2010-05-01 08:48 . 2010-05-01 13:08 -------- d-----w- c:\program files\Java
2010-05-01 08:48 . 2010-05-01 08:48 -------- d-----w- c:\users\Utente\AppData\Local\Sun
2010-04-30 21:18 . 2010-04-30 21:18 -------- d-----w- c:\program files\CCleaner
2010-04-30 21:10 . 2010-05-28 11:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-30 20:08 . 2010-05-23 08:01 -------- d-----w- c:\program files\VB Decompiler Lite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 17:17 . 2009-07-14 08:21 689234 ----a-w- c:\windows\system32\perfh010.dat
2010-05-28 17:17 . 2009-07-14 08:21 124420 ----a-w- c:\windows\system32\perfc010.dat
2010-05-28 17:13 . 2010-04-26 20:49 -------- d-----w- c:\programdata\NVIDIA
2010-05-28 14:49 . 2010-04-27 13:19 -------- d-----w- c:\program files\Steam
2010-05-24 12:42 . 2010-04-27 14:51 -------- d-----w- c:\program files\Metin2
2010-05-17 12:47 . 2010-04-26 16:35 109224 ----a-w- c:\users\Utente\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-12 22:27 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-12 22:27 . 2010-04-26 15:23 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 09:21 . 2010-04-26 16:20 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-07 22:08 . 2010-05-07 22:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-04-28 14:24 . 2010-04-28 14:24 -------- d-----w- c:\program files\Web Publish
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\TFZVBXBH.DAT
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\KHB9R779.DAT
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\7HNV5779.DAT
2010-04-28 14:18 . 2010-04-28 14:18 2678 ----a-w- c:\windows\Java\Packages\Data\VTV313ZF.DAT
2010-04-28 10:52 . 2010-04-28 10:52 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-27 13:40 . 2010-04-27 13:40 -------- d-----w- c:\programdata\Messenger Plus!
2010-04-27 13:19 . 2010-04-27 13:19 -------- d-----w- c:\program files\Common Files\Steam
2010-04-27 13:18 . 2010-04-27 13:18 -------- d-----w- c:\program files\Messenger Plus! Live
2010-04-27 12:43 . 2010-04-27 12:43 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-04-27 12:41 . 2010-04-26 15:25 -------- d-----w- c:\program files\Microsoft Works
2010-04-27 12:40 . 2010-04-27 12:40 -------- d-----w- c:\program files\MSXML 4.0
2010-04-26 20:50 . 2010-04-26 20:49 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-26 20:36 . 2010-04-26 20:36 -------- d-----w- c:\program files\Microsoft
2010-04-26 20:36 . 2010-04-26 20:36 -------- d-----w- c:\program files\Windows Live
2010-04-26 20:36 . 2010-04-26 20:36 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-26 20:32 . 2010-04-26 20:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-26 20:27 . 2010-04-26 20:27 -------- d-----w- c:\programdata\Avira
2010-04-26 20:27 . 2010-04-26 20:27 -------- d-----w- c:\program files\Avira
2010-04-26 20:18 . 2010-04-26 15:54 -------- d-----w- c:\programdata\Nero
2010-04-26 20:18 . 2010-04-26 15:54 -------- d-----w- c:\program files\Common Files\Nero
2010-04-26 20:18 . 2010-04-26 20:18 -------- d-----w- c:\users\Utente\AppData\Roaming\Nero
2010-04-26 19:52 . 2010-04-26 19:52 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-26 16:35 . 2010-04-26 16:35 47616 ----a-w- c:\windows\wupd.dll
2010-04-26 16:32 . 2010-04-26 16:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-26 16:03 . 2010-04-26 16:03 -------- d-----w- c:\programdata\Alwil Software
2010-04-26 15:25 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-04-26 15:25 . 2010-04-26 15:25 -------- d-----w- c:\program files\Microsoft.NET
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Preferiti
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Modelli
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Menu Avvio
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Documenti
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\programdata\Dati applicazioni
2010-04-26 15:17 . 2010-04-26 15:17 -------- d-sh--we c:\program files\File comuni
2010-04-26 15:12 . 2010-04-26 15:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-03 16:27 . 2010-04-03 16:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 16:27 . 2010-04-03 16:27 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 16:27 . 2010-04-03 16:27 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
2010-04-03 16:27 . 2010-04-03 16:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 16:27 . 2010-04-03 16:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 16:27 . 2010-04-03 16:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-08 21:33 . 2010-04-26 18:46 427520 ----a-w- c:\windows\system32\vbscript.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-20 11:14 26192680 ----a-r- c:\program files\Skype\Phone\Skype.exe

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-05-21 173352]
S3 RTL8167;Driver Realtek 8167 NT;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

.
Contenuto della cartella 'Scheduled Tasks'

2010-05-28 c:\windows\Tasks\WindowsUpdate.job
- c:\windows\wupd.dll [2010-04-26 16:35]
.
.
------- Scansione supplementare -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: {21B7AD75-AE2D-4037-9D91-B58AB82E3423} = 212.216.112.112,212.216.172.62
FF - ProfilePath - c:\users\Utente\AppData\Roaming\Mozilla\Firefox\Profiles\tf7bq6hu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Ora fine scansione: 2010-05-28 20:00:43
ComboFix-quarantined-files.txt 2010-05-28 18:00
ComboFix2.txt 2010-05-28 17:15

Pre-Run: 476.658.442.240 byte disponibili
Post-Run: 476.596.473.856 byte disponibili

- - End Of File - - 8DAAAF8E07F797DB621400EC201AA3FC








_____________________________________________________________

And here is the HJT one:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:02:32, on 28/05/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...t/wlscctrl2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{21B7AD75-AE2D-4037-9D91-B58AB82E3423}: NameServer = 212.216.112.112,212.216.172.62
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

--
End of file - 4409 bytes




P.S:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)

Is this alright?


#6 Corrupted

Corrupted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 May 2010 - 05:57 AM

I searched for wupdate.exe with SystemLook but i didn't find it.

The problem seems solved, i will inform you this evening or tomorrow evening.

"Thanks for your help" hysterical.gif

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:54 AM

Posted 29 May 2010 - 07:11 PM

QUOTE(Corrupted @ May 29 2010, 11:57 AM) View Post
"Thanks for your help" hysterical.gif


No, well done for running a tool you clearly have no idea how to use - you've deleted some legitimate files rather neatly there - and having great patience waiting for volunteers - who have lives of their own and who help out voluntarily because they want to. Well done also on bumping your topic which we clearly explain may delay the help you receive.

There is a two day wait for help and someone skilled would have been able to help you. I don't think two days is bad for an excellent free service, do you?

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.




Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users