Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible malware - blue screen after gmer


  • This topic is locked This topic is locked
29 replies to this topic

#1 abruijn

abruijn

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 16 October 2010 - 06:51 PM

Hello,

i had some problems with my company laptop.
First a blue screen with a message of infinite ati2dvag driver loop. I reinstalled the ati driver package. Then i had some other bluescreen but didn't had the time to read the message before auto reboot
I ran Combofix, which has been usefull in the past for me (sometime ago a technical computer assistent from the company indicated it to me).
Just now i have read NOT TO RUN COMBOFIX without being requested to do so....

.

I ran the described procedure from the preparation guide. After the GMER log again a blue screen, i had ust the time to save the log file.
I am not sure now if my system has a possible malware threat or root-kit, my system seems to be stable.

Thanks in advance for your assistance.

Below is the DDS.txt LOG




DDS (Ver_10-10-10.03) - NTFSx86
Run by u110549 at 23.11.54,10 on 2010-10-16
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1789.1023 [GMT 2:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Programmi\DisplayLink Core Software\DisplayLinkService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Programmi\LSI SoftModem\agrsmsvc.exe
C:\Programmi\Cobian Backup 10\cbVSCService.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Symantec\Symantec Endpoint Protection\Rtvscan.exe
d:\Programmi\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Programmi\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe
C:\Programmi\HPQ\HP Connection Manager 2\bin\mdvsrv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\DisplayLink Core Software\DisplayLinkManager.exe
C:\Programmi\DisplayLink Core Software\DisplayLinkUI.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programmi\Secunia\PSI\psi.exe
C:\Programmi\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Documents and Settings\u110549\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u110549\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u110549\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u110549\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u110549\Documenti\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://fgaonline.fiat.com/Pages/Home%20Page/FGAonline.aspx
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\programmi\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\u110549\menuav~1\progra~1\esecuz~1\secuni~1.lnk - c:\programmi\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\bttray.lnk - c:\programmi\widcomm\bluetooth software\BTTray.exe
IE: Add to &Evernote - d:\programmi\evernote\evernote3.5\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download Link Using Mega Manager... - c:\programmi\megaupload\mega manager\mm_file.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Invia a Bluetooth - c:\programmi\widcomm\bluetooth software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\programmi\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - d:\programmi\evernote\evernote3.5\enbar.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245914510825
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283259887953
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} - hxxp://codep/forms/jinitiator/jinit.exe
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://codep/forms/jinitiator/jinit.exe
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\programmi\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\programmi\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: TTWlx - TTWlx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\u110549\datiap~1\mozilla\firefox\profiles\f7ct8dl8.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.findeer.it
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-9-22 164352]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2009-12-3 181120]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-9-17 7936]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2009-12-3 51072]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\programmi\cobian backup 10\cbVSCService.exe [2010-9-16 67584]
R2 ccEvtMgr;Symantec Event Manager;c:\programmi\file comuni\symantec shared\ccSvcHst.exe [2010-10-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\programmi\file comuni\symantec shared\ccSvcHst.exe [2010-10-14 108392]
R2 DisplayLinkService;DisplayLink Service;c:\programmi\displaylink core software\DisplayLinkService.exe [2009-3-10 447848]
R2 mdvauthsrv;HP Connectivity Authentication Service;c:\programmi\hpq\hp connection manager 2\bin\mdvauthsrv.exe [2009-3-26 399848]
R2 mdvsrv;HP Connection Manager Service;c:\programmi\hpq\hp connection manager 2\bin\mdvsrv.exe [2009-3-26 281064]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2009-1-14 345336]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\programmi\symantec\symantec endpoint protection\Rtvscan.exe [2010-10-14 1832072]
R2 TomTomHOMEService;TomTomHOMEService;d:\programmi\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\file comuni\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-10-6 44800]
R3 NAVENG;NAVENG;c:\progra~1\fileco~1\symant~1\virusd~1\20101014.040\NAVENG.SYS [2010-10-15 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\fileco~1\symant~1\virusd~1\20101014.040\NAVEX15.SYS [2010-10-15 1371184]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S2 gupdate;Google Update Service (gupdate);c:\programmi\google\update\GoogleUpdate.exe [2009-12-30 135664]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-6 475520]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-22 23888]
S3 Com4QLBEx;Com4QLBEx;c:\programmi\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-7 193840]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-9-17 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-9-17 8456]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-9-17 23680]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\programmi\google\google desktop search\GoogleDesktop.exe [2010-6-8 30192]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-6-22 103168]
S3 QCFilterhp;HP USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterhp.sys [2009-6-25 5248]
S3 qcusbnethp;HP USB-NDIS miniport;c:\windows\system32\drivers\qcusbnethp.sys [2009-6-25 115200]
S3 qcusbserhp;HP USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserhp.sys [2009-6-25 104448]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\scr3xx2k.sys --> c:\windows\system32\drivers\SCR3XX2K.sys [?]
S3 STC2DFU;STCII DFU Adapter;c:\windows\system32\drivers\stc2dfu.sys --> c:\windows\system32\drivers\Stc2Dfu.SYS [?]

=============== Created Last 30 ================

2010-10-16 20:04:31 -------- d-sha-r- C:\cmdcons
2010-10-13 19:19:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-07 06:59:04 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-07 06:59:03 293888 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-10-07 06:59:00 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2010-09-25 13:46:10 -------- d-----w- c:\programmi\WinMerge
2010-09-25 12:57:19 -------- d-----w- c:\docume~1\u110549\datiap~1\Scooter Software
2010-09-25 10:38:16 -------- d-----w- c:\programmi\Remove Empty Directories
2010-09-25 09:53:46 -------- d-----w- c:\programmi\Duplicate Cleaner
2010-09-22 16:10:52 103864 ----a-w- c:\programmi\mozilla firefox\plugins\nppdf32.dll
2010-09-22 16:10:52 103864 ----a-w- c:\programmi\internet explorer\plugins\nppdf32.dll
2010-09-20 07:57:48 -------- d-----w- c:\docume~1\alluse~1\datiap~1\ODIR
2010-09-20 07:57:33 -------- d-----w- c:\programmi\ODIR
2010-09-19 14:25:31 -------- d-----w- C:\backup
2010-09-17 20:58:19 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2010-09-17 20:58:19 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2010-09-17 20:58:19 1774720 ----a-w- c:\windows\system32\BootMan.exe
2010-09-17 20:58:19 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2010-09-17 20:58:19 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2010-09-17 20:58:11 -------- d-----w- c:\programmi\EASEUS
2010-09-17 20:11:51 4573184 ----a-w- C:\unetbtin.exe
2010-09-17 18:50:01 -------- d-----w- c:\programmi\DAEMON Tools Toolbar
2010-09-17 18:49:47 -------- d-----w- c:\programmi\DAEMON Tools Lite
2010-09-17 17:13:32 -------- d-----w- c:\docume~1\alluse~1\datiap~1\FNET
2010-09-17 17:13:31 7936 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-09-17 17:13:31 23680 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-09-17 17:13:29 -------- d-----w- c:\programmi\UsbBoost
2010-09-17 15:34:30 -------- d-----w- c:\docume~1\u110549\datiap~1\KeePass
2010-09-17 15:14:01 -------- d-----w- c:\programmi\KeePass Password Safe 2

==================== Find3M ====================

2010-10-14 10:41:05 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-14 10:35:29 89600 ----a-w- c:\windows\system32\atl71.dll
2010-10-14 10:35:29 87408 ----a-w- c:\windows\system32\FwsVpn.dll
2010-10-14 10:35:29 107888 ----a-w- c:\windows\system32\SymVPN.dll
2010-10-14 10:35:10 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-10-14 10:35:10 242056 ----a-w- c:\windows\system32\SymRedir.dll
2010-10-13 19:18:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 09:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 09:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:48:59 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 09:49:08 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2007-12-11 07:55:14 626688 ----a-w- c:\programmi\file comuni\sapconsaccess.dll
2007-12-11 07:55:14 40960 ----a-w- c:\programmi\file comuni\DigitalSignature.ocx
2007-12-11 07:55:14 3125248 ----a-w- c:\programmi\file comuni\sapxlhelper.dll
2007-12-11 07:55:14 192512 ----a-w- c:\programmi\file comuni\sapconsr3.dll

============= FINISH: 23.12.48,92 ===============

Attached Files


Edited by abruijn, 17 October 2010 - 07:51 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:21 PM

Posted 26 October 2010 - 06:24 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 27 October 2010 - 02:50 AM

Thank you m0le, for your assistance.

I have to inform you that for the next few days i will be away, so i cannot respond.

I will be back on wednesday 3 novembre.
If it is okay with you i kindly ask you to put this request on hold until then.


When i get back, I will contact you on this forum.




Bye

Edited by abruijn, 27 October 2010 - 03:49 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:21 PM

Posted 27 October 2010 - 05:07 PM

No problem. Post to the topic on your return. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 03 November 2010 - 05:33 PM

Hi,

i'm back and ready.
Let me know what the next steps are.

Thx

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:21 PM

Posted 03 November 2010 - 05:53 PM

Please run TDSSKiller. Let's check we have no TDSS rootkit to deal with.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#7 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 03 November 2010 - 07:17 PM

Report of TDSSKiller below.
Only one file mentioned as suspected (sptd.sys), i haven chosen "quarantine".

2010/11/04 01:07:00.0078 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43
2010/11/04 01:07:00.0078 ================================================================================
2010/11/04 01:07:00.0078 SystemInfo:
2010/11/04 01:07:00.0078
2010/11/04 01:07:00.0078 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/04 01:07:00.0078 Product type: Workstation
2010/11/04 01:07:00.0078 ComputerName: xxxxxxxxxxx
2010/11/04 01:07:00.0078 UserName: xxxxxxx
2010/11/04 01:07:00.0078 Windows directory: C:\WINDOWS
2010/11/04 01:07:00.0078 System windows directory: C:\WINDOWS
2010/11/04 01:07:00.0078 Processor architecture: Intel x86
2010/11/04 01:07:00.0078 Number of processors: 2
2010/11/04 01:07:00.0078 Page size: 0x1000
2010/11/04 01:07:00.0078 Boot type: Normal boot
2010/11/04 01:07:00.0078 ================================================================================
2010/11/04 01:07:01.0156 Initialize success
2010/11/04 01:07:10.0328 ================================================================================
2010/11/04 01:07:10.0328 Scan started
2010/11/04 01:07:10.0328 Mode: Manual;
2010/11/04 01:07:10.0328 ================================================================================
2010/11/04 01:07:10.0968 Accelerometer (a0baabb7d3549460e3f8c5ad6f778683) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2010/11/04 01:07:11.0000 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/04 01:07:11.0078 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/11/04 01:07:11.0125 ADIHdAudAddService (2dc6ff5da4ea7ca1d4128a7541734b9f) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/11/04 01:07:11.0187 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/11/04 01:07:11.0296 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/04 01:07:11.0328 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/04 01:07:11.0406 AgereSoftModem (07758c2196a62f207f77556311e7459a) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/11/04 01:07:11.0546 ahcix86 (746c6e7ae2c6449f3cf3cf0d5e3a9222) C:\WINDOWS\system32\drivers\ahcix86.sys
2010/11/04 01:07:11.0671 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2010/11/04 01:07:11.0781 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/04 01:07:11.0921 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2010/11/04 01:07:12.0015 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/04 01:07:12.0046 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
2010/11/04 01:07:12.0203 ati2mtag (c158eef3544eb812e36a1d7eba54eeaa) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/04 01:07:12.0328 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/04 01:07:12.0406 ATSwpWDF (a9f9d1d24441889beb1aa2b917457e23) C:\WINDOWS\system32\Drivers\ATSwpWDF.sys
2010/11/04 01:07:12.0578 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/04 01:07:12.0609 b57w2k (ea377a8e8e1000877210259750cbbf5f) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/11/04 01:07:12.0671 BCM43XX (c89327377d4b62dc792e8930ea55f571) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/11/04 01:07:12.0796 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/04 01:07:12.0890 btaudio (5bcf6090b825def29065bdbd59691dbe) C:\WINDOWS\system32\drivers\btaudio.sys
2010/11/04 01:07:13.0000 BTDriver (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/11/04 01:07:13.0062 BTKRNL (ef5e0de0a7ca2977a9255f36f4d915ab) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/11/04 01:07:13.0187 BTWDNDIS (80f61de965c116051614ac2f04222ff7) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/11/04 01:07:13.0234 BTWUSB (053dc5be74621b63bb48c2b86bafc7b0) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/11/04 01:07:13.0421 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/04 01:07:13.0468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/04 01:07:13.0578 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/04 01:07:13.0609 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/04 01:07:13.0640 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/04 01:07:13.0750 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/04 01:07:13.0859 COH_Mon (6186b6b953bdc884f0f379b84b3e3a98) C:\WINDOWS\system32\Drivers\COH_Mon.sys
2010/11/04 01:07:13.0906 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/04 01:07:14.0093 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/04 01:07:14.0234 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/04 01:07:14.0312 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/04 01:07:14.0359 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/04 01:07:14.0421 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/04 01:07:14.0515 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/04 01:07:14.0609 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Programmi\File comuni\Symantec Shared\EENGINE\eeCtrl.sys
2010/11/04 01:07:14.0703 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
2010/11/04 01:07:14.0796 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/11/04 01:07:14.0890 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
2010/11/04 01:07:14.0968 Ext2fs (fbc0e085a5becba5dd3c401eeb6e45bb) C:\WINDOWS\system32\DRIVERS\ext2fs.sys
2010/11/04 01:07:15.0000 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/04 01:07:15.0046 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/04 01:07:15.0156 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/04 01:07:15.0171 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/04 01:07:15.0250 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/04 01:07:15.0281 FNETTBOH (a9e2df40ed6ec9e8885da72b6e1818f3) C:\WINDOWS\system32\drivers\FNETTBOH.SYS
2010/11/04 01:07:15.0328 FNETURPX (784ffba7ee5c5f3a396407e4712f72f0) C:\WINDOWS\system32\drivers\FNETURPX.SYS
2010/11/04 01:07:15.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/04 01:07:15.0453 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/04 01:07:15.0531 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/04 01:07:15.0593 HBtnKey (fc657b7751729efe54e2ff24f50e5bab) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/11/04 01:07:15.0625 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/04 01:07:15.0750 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/04 01:07:15.0781 hpdskflt (9f620e11b80b74f4dab50a81a5df357f) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2010/11/04 01:07:15.0859 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
2010/11/04 01:07:15.0921 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/04 01:07:16.0062 hwdatacard (07853191b1bdee5b39be4cfcfe3b9ad4) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2010/11/04 01:07:16.0125 hwusbfake (48e66dbb523a52d6320b0df70b7e213c) C:\WINDOWS\system32\DRIVERS\ewusbfake.sys
2010/11/04 01:07:16.0250 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/04 01:07:16.0343 idisw2km (da242c93d44675136c719cb1e83cd2a1) C:\WINDOWS\system32\DRIVERS\idisw2km.sys
2010/11/04 01:07:16.0406 IfsMount (f3f825fcc70471fd967126e1871b2cdc) C:\WINDOWS\system32\DRIVERS\ifsmount.sys
2010/11/04 01:07:16.0453 IFXTPM (91c5e9f49f32110ced27e2f902fad607) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2010/11/04 01:07:16.0546 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/04 01:07:16.0640 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/04 01:07:16.0687 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/04 01:07:16.0718 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/04 01:07:16.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/04 01:07:16.0859 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/04 01:07:16.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/04 01:07:16.0953 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/04 01:07:17.0046 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/04 01:07:17.0093 kbdhid (4c61c226bdda2ef1672b2c5f4e56625e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/04 01:07:17.0171 kbstuff (ee79516334a94d263c784958e1ed0ae4) C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
2010/11/04 01:07:17.0234 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/04 01:07:17.0281 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/04 01:07:17.0437 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/04 01:07:17.0500 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/04 01:07:17.0578 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/04 01:07:17.0609 mouhid (d7662f0cf5b77bbbe3202716f5bd5318) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/04 01:07:17.0656 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/04 01:07:17.0687 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/04 01:07:17.0750 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/04 01:07:17.0890 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/04 01:07:17.0953 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/04 01:07:17.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/04 01:07:18.0015 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/04 01:07:18.0062 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/04 01:07:18.0140 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/04 01:07:18.0218 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/04 01:07:18.0234 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/04 01:07:18.0359 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\20101103.002\NAVENG.SYS
2010/11/04 01:07:18.0421 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\20101103.002\NAVEX15.SYS
2010/11/04 01:07:18.0515 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/04 01:07:18.0546 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/04 01:07:18.0593 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/04 01:07:18.0625 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/04 01:07:18.0656 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/04 01:07:18.0750 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/04 01:07:18.0765 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/04 01:07:18.0796 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/04 01:07:18.0859 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/04 01:07:18.0921 nmwcd (c82f4cc10ad315b6d6bcb14d0a7cad66) C:\WINDOWS\system32\drivers\ccdcmb.sys
2010/11/04 01:07:19.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/04 01:07:19.0062 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/04 01:07:19.0156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/04 01:07:19.0203 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/04 01:07:19.0234 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/04 01:07:19.0296 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/04 01:07:19.0343 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/04 01:07:19.0375 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/04 01:07:19.0421 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/04 01:07:19.0500 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/04 01:07:19.0578 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/04 01:07:19.0812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/04 01:07:19.0875 prepdrvr (9b322103efe09f5f4a957af62b0387b1) C:\WINDOWS\system32\CCM\prepdrv.sys
2010/11/04 01:07:19.0968 Processor (b479f50e883b2297a5f7f212aaee6f6c) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/04 01:07:20.0031 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/04 01:07:20.0078 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
2010/11/04 01:07:20.0109 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/04 01:07:20.0140 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/04 01:07:20.0218 QCFilterhp (0cd1962f0577d96a076c499dbf9fee84) C:\WINDOWS\system32\DRIVERS\qcfilterhp.sys
2010/11/04 01:07:20.0281 qcusbnethp (f6f7657639f8a5831e8e8d8cb4480a6c) C:\WINDOWS\system32\DRIVERS\qcusbnethp.sys
2010/11/04 01:07:20.0343 qcusbserhp (b8030aeecdbdf68894810c6910291035) C:\WINDOWS\system32\DRIVERS\qcusbserhp.sys
2010/11/04 01:07:20.0500 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/04 01:07:20.0531 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/04 01:07:20.0593 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/04 01:07:20.0640 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/04 01:07:20.0687 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/04 01:07:20.0718 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/04 01:07:20.0796 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/04 01:07:20.0875 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/04 01:07:20.0937 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/04 01:07:21.0093 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/04 01:07:21.0156 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/04 01:07:21.0218 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/04 01:07:21.0296 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys
2010/11/04 01:07:21.0343 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/11/04 01:07:21.0421 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/04 01:07:21.0546 SNP2UVC (50660e6b082a7bf86751a003c3bb5210) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2010/11/04 01:07:21.0703 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/11/04 01:07:21.0796 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/04 01:07:21.0859 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2010/11/04 01:07:21.0859 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2010/11/04 01:07:21.0859 sptd - detected Locked file (1)
2010/11/04 01:07:21.0953 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/04 01:07:22.0000 SRTSP (5a293729e1f9fce3a2106d1f5dc5e98a) C:\WINDOWS\system32\Drivers\SRTSP.SYS
2010/11/04 01:07:22.0062 SRTSPL (0ddb7fba32be09d8057063c0cee24137) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
2010/11/04 01:07:22.0187 SRTSPX (a99719dfb61b61aa5026341bbb733c0a) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
2010/11/04 01:07:22.0234 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/04 01:07:22.0343 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/04 01:07:22.0390 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/04 01:07:22.0421 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/04 01:07:22.0531 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/11/04 01:07:22.0703 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/11/04 01:07:22.0765 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/11/04 01:07:22.0906 SynTP (0e8676fb3bb95aa40fdf7a4a31018c8b) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/11/04 01:07:22.0984 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/04 01:07:23.0062 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/04 01:07:23.0203 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/04 01:07:23.0250 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/04 01:07:23.0296 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/04 01:07:23.0406 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/04 01:07:23.0515 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/04 01:07:23.0625 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/04 01:07:23.0687 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/04 01:07:23.0750 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/04 01:07:23.0796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/04 01:07:23.0875 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/04 01:07:23.0984 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/04 01:07:24.0031 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/04 01:07:24.0125 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/04 01:07:24.0203 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/11/04 01:07:24.0265 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/04 01:07:24.0328 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/04 01:07:24.0421 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/04 01:07:24.0500 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/11/04 01:07:24.0625 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/04 01:07:24.0718 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/11/04 01:07:24.0781 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/04 01:07:24.0875 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/04 01:07:24.0921 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/04 01:07:25.0187 ================================================================================
2010/11/04 01:07:25.0187 Scan finished
2010/11/04 01:07:25.0187 ================================================================================
2010/11/04 01:07:25.0218 Detected object count: 1
2010/11/04 01:08:30.0578 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2010/11/04 01:08:30.0578 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2010/11/04 01:08:30.0609 C:\WINDOWS\system32\Drivers\sptd.sys - quarantined
2010/11/04 01:08:30.0625 Locked file(sptd) - User select action: Quarantine
2010/11/04 01:09:43.0031 Deinitialize success

Edited by abruijn, 03 November 2010 - 07:19 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:21 PM

Posted 03 November 2010 - 07:33 PM

While the suspect file is quarantined let's get in there with a removal tool

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 04 November 2010 - 03:31 AM

i will try this, but have to say that it's impossible for me to turn off the antivirus (symantec end point protection), because the option "disable antivirus and antispyware protection" are "dimmed" in the menu.

#10 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 04 November 2010 - 04:36 AM

report ComboFix:


ComboFix 10-11-03.01 - 945011u 2010-11-04 10.06.41.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1789.1179 [GMT 1:00]
Eseguito da: c:\documents and settings\945011u\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possibili siti infetti -----

hxxp://wsustrn1.fiatauto.com:8530
.
((((((((((((((((((((((((( Files Creati Da 2010-10-04 al 2010-11-04 )))))))))))))))))))))))))))))))))))
.

2010-11-04 00:08 . 2010-11-04 00:08 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-30 22:05 . 2010-10-30 22:05 -------- d-----w- c:\programmi\Astroburn Lite
2010-10-25 12:56 . 2010-10-25 12:57 -------- dc-h--w- c:\windows\ie8
2010-10-19 07:09 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 07:09 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 07:09 . 2010-08-27 05:58 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-19 07:09 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-19 07:09 . 2010-09-10 05:49 66560 -c--a-w- c:\windows\system32\dllcache\mshtmled.dll
2010-10-19 07:09 . 2010-07-16 12:05 1287680 -c----w- c:\windows\system32\dllcache\ole32.dll
2010-10-18 22:45 . 2010-10-18 22:45 8192 ----a-w- c:\programmi\Mozilla Firefox\plugins\nprjplug.dll
2010-10-18 22:45 . 2010-10-18 22:45 140864 ----a-w- c:\programmi\Mozilla Firefox\plugins\nppl3260.dll
2010-10-18 22:45 . 2010-10-18 22:45 98304 ----a-w- c:\programmi\Mozilla Firefox\plugins\nprpjplug.dll
2010-10-18 22:45 . 2010-10-18 22:45 -------- d-----w- c:\programmi\File comuni\xing shared
2010-10-18 22:44 . 2010-10-18 22:44 569397 ----a-w- c:\programmi\Internet Explorer\PLUGINS\RichFX\Player\nprfxins.dll
2010-10-17 15:13 . 2010-06-03 17:17 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
2010-10-17 12:55 . 2010-10-17 12:55 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\hpqLog
2010-10-17 12:55 . 2010-10-17 12:55 -------- d-----w- c:\documents and settings\945011u\Dati applicazioni\hpqLog
2010-10-15 10:31 . 2010-10-15 10:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\ATI
2010-10-14 23:44 . 2010-10-14 23:44 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-10-13 19:19 . 2010-10-13 19:19 -------- d-----w- c:\programmi\File comuni\Java
2010-10-13 19:19 . 2010-10-13 19:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-07 06:59 . 2010-08-17 13:17 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-07 06:59 . 2010-06-18 17:45 293888 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-10-07 06:59 . 2010-04-16 15:37 406016 -c----w- c:\windows\system32\dllcache\usp10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 22:44 . 2008-10-07 07:46 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-14 10:41 . 2009-12-03 08:47 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-14 10:41 . 2009-12-03 08:47 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 19:18 . 2010-08-30 09:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 10:23 . 2006-03-02 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2006-03-02 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2006-03-02 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2006-03-02 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-17 20:08 . 2010-09-17 20:11 4573184 ----a-w- C:\unetbtin.exe
2010-09-17 18:49 . 2009-12-08 19:18 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-09-17 17:13 . 2010-09-17 17:13 7936 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-09-17 17:13 . 2010-09-17 17:13 23680 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-09-10 05:49 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:49 . 2006-03-02 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:49 . 2006-03-02 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 09:17 . 2010-09-08 09:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 09:17 . 2010-09-08 09:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2006-03-02 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 07:54 . 2006-03-02 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2006-03-02 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:58 . 2006-03-02 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-27 05:13 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 13:39 . 2006-03-02 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-23 16:12 . 2006-03-02 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:44 . 2006-03-02 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2007-12-11 07:55 . 2008-10-07 10:02 626688 ----a-w- c:\programmi\File comuni\sapconsaccess.dll
2007-12-11 07:55 . 2008-10-07 10:02 3125248 ----a-w- c:\programmi\File comuni\sapxlhelper.dll
2007-12-11 07:55 . 2008-10-07 10:02 192512 ----a-w- c:\programmi\File comuni\sapconsr3.dll
2007-12-11 07:55 . 2008-10-07 10:02 40960 ----a-w- c:\programmi\File comuni\DigitalSignature.ocx
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"Communicator"="c:\programmi\Microsoft Office Communicator\communicator.exe" [2010-06-30 5143904]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2010-10-18 202256]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\945011u\Menu Avvio\Programmi\Esecuzione automatica\
Secunia PSI.lnk - c:\programmi\Secunia\PSI\psi.exe [2010-7-21 965176]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-12 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TTWlx]
2009-12-16 15:54 98816 ----a-w- c:\windows\system32\TTWlx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-996514917-3143290021-2358634072-232347\Scripts\Logon\0\0]
"Script"=cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-996514917-3143290021-2358634072-232347\Scripts\Logon\1\0]
"Script"=UserComputer_V3.1.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^945011u^Menu Avvio^Programmi^Esecuzione automatica^Secunia PSI.lnk]
path=c:\documents and settings\945011u\Menu Avvio\Programmi\Esecuzione automatica\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-06 00:06 135664 ----atw- c:\documents and settings\945011u\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc.exe"=
"c:\\Documents and Settings\\945011u\\Impostazioni locali\\Dati applicazioni\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\945011u\\Impostazioni locali\\Dati applicazioni\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2701:TCP"= 2701:TCP:SMS general contact, reboot, and ping
"2702:TCP"= 2702:TCP:SMS Remote Control
"2703:TCP"= 2703:TCP:SMS Chat
"2704:TCP"= 2704:TCP:SMS File Transfer
"135:TCP"= 135:TCP:RPC

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-09-22 16.45.11 164352]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 9.14.02 24064]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-12-08 20.18.03 691696]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2009-12-03 19.20.10 181120]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-09-17 18.13.31 7936]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2009-12-03 19.20.10 51072]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\programmi\Cobian Backup 10\cbVSCService.exe [2010-09-16 10.43.01 67584]
R2 DisplayLinkService;DisplayLink Service;c:\programmi\DisplayLink Core Software\DisplayLinkService.exe [2009-03-10 6.47.47 447848]
R2 mdvauthsrv;HP Connectivity Authentication Service;c:\programmi\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe [2009-03-26 5.47.52 399848]
R2 mdvsrv;HP Connection Manager Service;c:\programmi\HPQ\HP Connection Manager 2\bin\mdvsrv.exe [2009-03-26 5.47.52 281064]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-01-14 14.56.46 345336]
R2 TomTomHOMEService;TomTomHOMEService;d:\programmi\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 10.38.18 92008]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-10-07 15.13.50 227896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 16.25.43 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-10-06 7.46.24 44800]
S2 gupdate;Google Update Service (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-30 22.58.53 135664]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-06 7.46.21 475520]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-22 15.33.46 23888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-09-17 21.58.19 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-09-17 21.58.19 8456]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-09-17 18.13.31 23680]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\programmi\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-08 13.56.58 30192]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-06-22 13.55.34 103168]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-07-07 15.05.32 14904]
S3 QCFilterhp;HP USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterhp.sys [2009-06-25 8.13.58 5248]
S3 qcusbnethp;HP USB-NDIS miniport;c:\windows\system32\drivers\qcusbnethp.sys [2009-06-25 8.13.58 115200]
S3 qcusbserhp;HP USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserhp.sys [2009-06-25 8.13.53 104448]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\DRIVERS\SCR3XX2K.sys --> c:\windows\system32\DRIVERS\SCR3XX2K.sys [?]
S3 STC2DFU;STCII DFU Adapter;c:\windows\system32\DRIVERS\Stc2Dfu.SYS --> c:\windows\system32\DRIVERS\Stc2Dfu.SYS [?]
.
Contenuto della cartella 'Scheduled Tasks'

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac66a6de5dab6.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-30 21:58]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-30 21:58]

2010-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-996514917-3143290021-2358634072-232347Core.job
- c:\documents and settings\945011u\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-12-06 00:06]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-996514917-3143290021-2358634072-232347UA.job
- c:\documents and settings\945011u\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-12-06 00:06]

2010-11-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-996514917-3143290021-2358634072-232347.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]

2010-10-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-996514917-3143290021-2358634072-232347.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://agfonline.taif.com/Pages/Home%20Page/agfonline.aspx
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to &Evernote - d:\programmi\Evernote\Evernote3.5\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download Link Using Mega Manager... - c:\programmi\Megaupload\Mega Manager\mm_file.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - d:\programmi\Evernote\Evernote3.5\enbar.dll
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://codep/forms/jinitiator/jinit.exe
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 10:11
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\TTWlx.dll
.
Ora fine scansione: 2010-11-04 10:13:46
ComboFix-quarantined-files.txt 2010-11-04 09:13

Pre-Run: 17.904.545.792 byte disponibili
Post-Run: 17.878.994.944 byte disponibili

- - End Of File - - 93ADC991184BFF4EA549D7BFC2F9631D

#11 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 04 November 2010 - 04:56 AM

SECOND RUN ..... had forgotten to rename the file to comfix.exe

ComboFix 10-11-03.01 - 945011u 2010-11-04 10.48.32.10.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1789.1161 [GMT 1:00]
Eseguito da: c:\documents and settings\945011u\Desktop\comfix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Creati Da 2010-10-04 al 2010-11-04 )))))))))))))))))))))))))))))))))))
.

2010-11-04 00:08 . 2010-11-04 00:08 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-30 22:05 . 2010-10-30 22:05 -------- d-----w- c:\programmi\Astroburn Lite
2010-10-25 12:56 . 2010-10-25 12:57 -------- dc-h--w- c:\windows\ie8
2010-10-19 07:09 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 07:09 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 07:09 . 2010-08-27 05:58 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-19 07:09 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-19 07:09 . 2010-09-10 05:49 66560 -c--a-w- c:\windows\system32\dllcache\mshtmled.dll
2010-10-19 07:09 . 2010-07-16 12:05 1287680 -c----w- c:\windows\system32\dllcache\ole32.dll
2010-10-18 22:45 . 2010-10-18 22:45 8192 ----a-w- c:\programmi\Mozilla Firefox\plugins\nprjplug.dll
2010-10-18 22:45 . 2010-10-18 22:45 140864 ----a-w- c:\programmi\Mozilla Firefox\plugins\nppl3260.dll
2010-10-18 22:45 . 2010-10-18 22:45 98304 ----a-w- c:\programmi\Mozilla Firefox\plugins\nprpjplug.dll
2010-10-18 22:45 . 2010-10-18 22:45 -------- d-----w- c:\programmi\File comuni\xing shared
2010-10-18 22:44 . 2010-10-18 22:44 569397 ----a-w- c:\programmi\Internet Explorer\PLUGINS\RichFX\Player\nprfxins.dll
2010-10-17 15:13 . 2010-06-03 17:17 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
2010-10-17 12:55 . 2010-10-17 12:55 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\hpqLog
2010-10-17 12:55 . 2010-10-17 12:55 -------- d-----w- c:\documents and settings\945011u\Dati applicazioni\hpqLog
2010-10-15 10:31 . 2010-10-15 10:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\ATI
2010-10-14 23:44 . 2010-10-14 23:44 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-10-13 19:19 . 2010-10-13 19:19 -------- d-----w- c:\programmi\File comuni\Java
2010-10-13 19:19 . 2010-10-13 19:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-07 06:59 . 2010-08-17 13:17 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-07 06:59 . 2010-06-18 17:45 293888 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-10-07 06:59 . 2010-04-16 15:37 406016 -c----w- c:\windows\system32\dllcache\usp10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 22:44 . 2008-10-07 07:46 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-14 10:41 . 2009-12-03 08:47 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-14 10:41 . 2009-12-03 08:47 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 19:18 . 2010-08-30 09:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 10:23 . 2006-03-02 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2006-03-02 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2006-03-02 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2006-03-02 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-17 20:08 . 2010-09-17 20:11 4573184 ----a-w- C:\unetbtin.exe
2010-09-17 18:49 . 2009-12-08 19:18 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-09-17 17:13 . 2010-09-17 17:13 7936 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-09-17 17:13 . 2010-09-17 17:13 23680 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-09-10 05:49 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:49 . 2006-03-02 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:49 . 2006-03-02 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 09:17 . 2010-09-08 09:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 09:17 . 2010-09-08 09:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2006-03-02 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 07:54 . 2006-03-02 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2006-03-02 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:58 . 2006-03-02 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-27 05:13 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 13:39 . 2006-03-02 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-23 16:12 . 2006-03-02 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:44 . 2006-03-02 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2007-12-11 07:55 . 2008-10-07 10:02 626688 ----a-w- c:\programmi\File comuni\sapconsaccess.dll
2007-12-11 07:55 . 2008-10-07 10:02 3125248 ----a-w- c:\programmi\File comuni\sapxlhelper.dll
2007-12-11 07:55 . 2008-10-07 10:02 192512 ----a-w- c:\programmi\File comuni\sapconsr3.dll
2007-12-11 07:55 . 2008-10-07 10:02 40960 ----a-w- c:\programmi\File comuni\DigitalSignature.ocx
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"Communicator"="c:\programmi\Microsoft Office Communicator\communicator.exe" [2010-06-30 5143904]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2010-10-18 202256]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\945011u\Menu Avvio\Programmi\Esecuzione automatica\
Secunia PSI.lnk - c:\programmi\Secunia\PSI\psi.exe [2010-7-21 965176]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-12 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TTWlx]
2009-12-16 15:54 98816 ----a-w- c:\windows\system32\TTWlx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-996514917-3143290021-2358634072-232347\Scripts\Logon\0\0]
"Script"=cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-996514917-3143290021-2358634072-232347\Scripts\Logon\1\0]
"Script"=UserComputer_V3.1.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^945011u^Menu Avvio^Programmi^Esecuzione automatica^Secunia PSI.lnk]
path=c:\documents and settings\945011u\Menu Avvio\Programmi\Esecuzione automatica\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-06 00:06 135664 ----atw- c:\documents and settings\945011u\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc.exe"=
"c:\\Documents and Settings\\945011u\\Impostazioni locali\\Dati applicazioni\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\945011u\\Impostazioni locali\\Dati applicazioni\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2701:TCP"= 2701:TCP:SMS general contact, reboot, and ping
"2702:TCP"= 2702:TCP:SMS Remote Control
"2703:TCP"= 2703:TCP:SMS Chat
"2704:TCP"= 2704:TCP:SMS File Transfer
"135:TCP"= 135:TCP:RPC

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-09-22 16.45.11 164352]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 9.14.02 24064]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-12-08 20.18.03 691696]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2009-12-03 19.20.10 181120]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-09-17 18.13.31 7936]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2009-12-03 19.20.10 51072]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\programmi\Cobian Backup 10\cbVSCService.exe [2010-09-16 10.43.01 67584]
R2 DisplayLinkService;DisplayLink Service;c:\programmi\DisplayLink Core Software\DisplayLinkService.exe [2009-03-10 6.47.47 447848]
R2 mdvauthsrv;HP Connectivity Authentication Service;c:\programmi\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe [2009-03-26 5.47.52 399848]
R2 mdvsrv;HP Connection Manager Service;c:\programmi\HPQ\HP Connection Manager 2\bin\mdvsrv.exe [2009-03-26 5.47.52 281064]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-01-14 14.56.46 345336]
R2 TomTomHOMEService;TomTomHOMEService;d:\programmi\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 10.38.18 92008]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-10-07 15.13.50 227896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 16.25.43 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-10-06 7.46.24 44800]
S2 gupdate;Google Update Service (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-30 22.58.53 135664]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-06 7.46.21 475520]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-22 15.33.46 23888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-09-17 21.58.19 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-09-17 21.58.19 8456]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-09-17 18.13.31 23680]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\programmi\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-08 13.56.58 30192]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-06-22 13.55.34 103168]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-07-07 15.05.32 14904]
S3 QCFilterhp;HP USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterhp.sys [2009-06-25 8.13.58 5248]
S3 qcusbnethp;HP USB-NDIS miniport;c:\windows\system32\drivers\qcusbnethp.sys [2009-06-25 8.13.58 115200]
S3 qcusbserhp;HP USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserhp.sys [2009-06-25 8.13.53 104448]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\DRIVERS\SCR3XX2K.sys --> c:\windows\system32\DRIVERS\SCR3XX2K.sys [?]
S3 STC2DFU;STCII DFU Adapter;c:\windows\system32\DRIVERS\Stc2Dfu.SYS --> c:\windows\system32\DRIVERS\Stc2Dfu.SYS [?]
.
Contenuto della cartella 'Scheduled Tasks'

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac66a6de5dab6.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-30 21:58]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-30 21:58]

2010-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-996514917-3143290021-2358634072-232347Core.job
- c:\documents and settings\945011u\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-12-06 00:06]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-996514917-3143290021-2358634072-232347UA.job
- c:\documents and settings\945011u\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-12-06 00:06]

2010-11-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-996514917-3143290021-2358634072-232347.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]

2010-10-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-996514917-3143290021-2358634072-232347.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://agfonline.taif.com/Pages/Home%20Page/agfonline.aspx
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to &Evernote - d:\programmi\Evernote\Evernote3.5\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download Link Using Mega Manager... - c:\programmi\Megaupload\Mega Manager\mm_file.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - d:\programmi\Evernote\Evernote3.5\enbar.dll
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://codep/forms/jinitiator/jinit.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 10:51
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\TTWlx.dll

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
Ora fine scansione: 2010-11-04 10:53:05
ComboFix-quarantined-files.txt 2010-11-04 09:53
ComboFix2.txt 2010-11-04 09:13

Pre-Run: 17.893.720.064 byte disponibili
Post-Run: 17.873.137.664 byte disponibili

- - End Of File - - 3B3B1941B565A64EF316F39474D010DB

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:21 PM

Posted 04 November 2010 - 05:24 PM

That's better. Please run MBAM next

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#13 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 04 November 2010 - 07:18 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5046

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-11-05 1.15.29
mbam-log-2010-11-05 (01-15-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 286655
Time elapsed: 1 hour(s), 34 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:21 PM

Posted 04 November 2010 - 07:23 PM

Oh nice.

Please run ESET's online scanner next. There seems to be no sign of any traces of malware (I never trust that :))

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#15 abruijn

abruijn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 05 November 2010 - 08:08 AM

ESETScan LOG


D:\@---PERSONALE---\@SOFTWARE\unlocker1.8.8.exe Win32/Adware.ADON application deleted - quarantined




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users