Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 franzpik

franzpik

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 27 April 2013 - 08:27 AM

Hello Everyone

 

my name is Francesca and I'm from Florence (Italy).

In the last days I realized my computer had a virus. Using Explorer or Chorme I was always re-directed to a weird website.

So I tryed to remove it using AVG (but no virus relieved). Since I was able to connect  to internet using the temporary mode I decided to made a "on line scan" with Panda  and another antivirus (I forgot the name) but no virus relievd again. 

A friend of mine told me about Combofix and I used it. Only later I realised that it's an  "expert user software"  and, I'm sorry but  only now I read the forum guidelines.. "icon13.gif DO NOT RUN ComboFix unless requested to"!!!  I'll keep in my mind for the future!

 

However ...now my  Pc works well so I suppose that Combofix destroyed the rootkit virus BUT, before uninstall it, I would like to be sure that everything is ok. Would someone kindly help me by checking the combofix log? I don't post it now, I'll post it only in case of your ok.

Thanks a lot and sorry for my basic english... :blush: 

 

 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 27 April 2013 - 09:37 AM

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that.... vegeta_zps7f4345cf.gifLet's get going!!
----------
 
Go ahead and post the log created by ComboFix.   :)
----------
 
 
Please download DDS from either of these links
 
LINK 1
LINK 2
 
and save it to your desktop.

  • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
  • ---------------------------------------------------
    Please include the contents of the following in your next reply:
     
    DDS.txt
     
    Attach.txt
    ----------
     
     
    aswmbr-1-1.jpg Please download aswMBR to your desktop.
    • Double click the aswMBR icon to run it.
    • Click the Scan button to start scan.
    • If you are asked to update the Avast Virus database please allow it to do so.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
    aswmbrscan.jpg
    Click the image to enlarge it
    ----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 franzpik

franzpik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 27 April 2013 - 10:35 AM

Thanks a Lot Jeff! :-)))

 

here below you can find:

- Combofix report

- DDS

-attach

-aswMBR report

 

 

ComboFix 13-04-27.04 - Francesca 27/04/2013  14.01.13.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.3037.2544 [GMT 2:00]
Eseguito da: c:\documents and settings\Francesca\Desktop\ComboFix.exe
FW: AVG Internet Security 2013 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Francesca\Dati applicazioni\OfferBox
c:\documents and settings\Francesca\Dati applicazioni\OfferBox\config.xml
c:\documents and settings\Francesca\Dati applicazioni\OfferBox\http_app.offerbox.com\country.sxe
c:\documents and settings\Francesca\Dati applicazioni\OfferBox\http_app.offerbox.com\history.db
c:\documents and settings\Francesca\Dati applicazioni\OfferBox\http_app.offerbox.com\profile.sxe
c:\documents and settings\Francesca\Dati applicazioni\OfferBox\http_app.offerbox.com\update.sxe
c:\documents and settings\Francesca\Dati applicazioni\OfferBox\http_app.offerbox.com\update.xml
c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\I Want This
c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\I Want This\Chrome\I Want This.crx
c:\documents and settings\Francesca\WINDOWS
c:\programmi\OfferBox
c:\programmi\OfferBox\OfferBoxHTTPProxy.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\2f5f67b82575df89.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\3b9466185fc7e94a.fb
c:\windows\system32\Cache\4588d89e33836b05.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\8ad2050abd80294e.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\bf3051cfd4812c4b.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\cceb6341ddc19c56.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\e3bf74ed2d64a791.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Creati Da 2013-03-27 al 2013-04-27  )))))))))))))))))))))))))))))))))))
.
.
2013-04-27 11:34 . 2013-04-27 11:34 -------- d-----w- c:\windows\system32\NtmsData
2013-04-27 11:14 . 2013-04-27 11:14 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Yahoo!
2013-04-26 18:50 . 2013-04-26 18:50 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\QuickScan
2013-04-26 17:26 . 2013-04-26 17:28 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Avg2013
2013-04-24 17:33 . 2009-05-18 21:49 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2013-04-24 17:33 . 2009-05-18 21:49 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2013-04-24 17:33 . 2009-05-18 21:49 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2013-04-17 18:10 . 2013-04-17 18:10 -------- d-----w- c:\programmi\iPod
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\programmi\iTunes
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Nokia
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\Nokia
2013-04-13 18:55 . 2013-04-13 18:55 -------- d-----w- C:\2c7e25b9c842ffef7b2ac2a411
2013-03-30 16:00 . 2001-08-30 22:07 5632 ----a-w- c:\windows\system32\ptpusb.dll
2013-03-30 16:00 . 2008-04-14 02:13 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 08:36 . 2004-08-19 12:00 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56 . 2004-08-19 15:34 2032128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-07 15:56 . 2004-08-19 12:00 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-02 16:00 . 2012-07-22 18:53 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-02 16:00 . 2012-01-31 17:23 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-02 01:57 . 2005-10-06 03:08 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:55 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 01:55 . 2004-08-19 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 01:55 . 2004-08-19 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:08 . 2004-08-19 12:00 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2011-12-26 19:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-04-13 18:56 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-19 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2012-06-02 880528]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"GoogleChromeAutoLaunch_0F166C2094197AA17B3FA9AAF8587249"="c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe" [2013-04-09 1312720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2012-01-17 252296]
"ATKOSD2"="c:\programmi\ASUS\ATKOSD2\ATKOSD2.exe" [2009-08-17 6859392]
"HControlUser"="c:\programmi\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKHOTKEY"="c:\programmi\ASUS\ATK Hotkey\HControl.exe" [2009-08-12 178816]
"ATKMEDIA"="c:\programmi\ASUS\ATK Media\DMedia.exe" [2009-08-19 170624]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 142360]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"APSDaemon"="c:\programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
OfferBox.lnk - c:\programmi\OfferBox\OfferBox.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Programmi\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\File comuni\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
.
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [29/12/2011 12.08.04 2304]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [20/03/2009 15.21.28 1057280]
S2 SkypeUpdate;Skype Updater;c:\programmi\Skype\Updater\Updater.exe [13/07/2012 14.28.36 160944]
S3 IRUR;IRUR;c:\docume~1\FRANCE~1\IMPOST~1\Temp\IRUR.exe --> c:\docume~1\FRANCE~1\IMPOST~1\Temp\IRUR.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ   HPSLPSVC
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003Core.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003UA.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2013-03-24 21:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-27 14:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ... 
.
scansione entrate autostart nascoste ... 
.
Scansione files nascosti ... 
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
Ora fine scansione: 2013-04-27  14:09:21
ComboFix-quarantined-files.txt  2013-04-27 12:09
.
Pre-Run: 372.413.054.976 byte disponibili
Post-Run: 375.975.034.880 byte disponibili
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D674F83187415E1880514C324EE1FADB
 

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by Francesca at 16:42:34 on 2013-04-27
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.3037.2180 [GMT 2:00]
.
FW: AVG Internet Security 2013 *Enabled* 
.
============== Running Processes ================
.
C:\Programmi\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\ASUS\ATKOSD2\ATKOSD2.exe
C:\Programmi\ASUS\ATK Hotkey\HControlUser.exe
C:\Programmi\ASUS\ATK Hotkey\HControl.exe
C:\Programmi\ASUS\ATK Media\DMedia.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Programmi\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\ASUS\ATK Hotkey\ATKOSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\ASUS\ATK Hotkey\WDC.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqbam08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\programmi\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\programmi\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\programmi\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\programmi\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\programmi\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [uTorrent] "c:\programmi\utorrent\uTorrent.exe"  /MINIMIZED
uRun: [Skype] "c:\programmi\skype\phone\Skype.exe" /minimized /regrun
uRun: [GoogleChromeAutoLaunch_0F166C2094197AA17B3FA9AAF8587249] "c:\documents and settings\francesca\impostazioni locali\dati applicazioni\google\chrome\application\chrome.exe" --no-startup-window
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\programmi\file comuni\java\java update\jusched.exe"
mRun: [ATKOSD2] c:\programmi\asus\atkosd2\ATKOSD2.exe
mRun: [HControlUser] c:\programmi\asus\atk hotkey\HControlUser.exe
mRun: [ATKHOTKEY] c:\programmi\asus\atk hotkey\HControl.exe
mRun: [ATKMEDIA] c:\programmi\asus\atk media\DMedia.exe
mRun: [Adobe ARM] "c:\programmi\file comuni\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\programmi\hp\hp software update\HPWuSchd2.exe
mRun: [APSDaemon] "c:\programmi\file comuni\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\hpdigi~1.lnk - c:\programmi\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\micros~1.lnk - c:\programmi\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\offerbox.lnk - c:\programmi\offerbox\OfferBox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\programmi\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\programmi\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1325064092113
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: Interfaces\{33E3BDB7-8800-4F23-92F4-021DD58BD1E3} : DHCPNameServer = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programmi\file comuni\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\programmi\file comuni\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2011-12-29 2304]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-20 1057280]
S2 SkypeUpdate;Skype Updater;c:\programmi\skype\updater\Updater.exe [2012-7-13 160944]
S3 IRUR;IRUR;c:\docume~1\france~1\impost~1\temp\irur.exe --> c:\docume~1\france~1\impost~1\temp\IRUR.exe [?]
.
=============== Created Last 30 ================
.
2013-04-27 11:57:57 -------- d-sha-r- C:\cmdcons
2013-04-27 11:51:54 98816 ----a-w- c:\windows\sed.exe
2013-04-27 11:51:54 256000 ----a-w- c:\windows\PEV.exe
2013-04-27 11:51:54 208896 ----a-w- c:\windows\MBR.exe
2013-04-27 11:34:08 -------- d-----w- c:\windows\system32\NtmsData
2013-04-26 18:50:33 -------- d-----w- c:\documents and settings\francesca\dati applicazioni\QuickScan
2013-04-26 17:26:36 -------- d-----w- c:\documents and settings\francesca\impostazioni locali\dati applicazioni\Avg2013
2013-04-24 17:33:32 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2013-04-24 17:33:30 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2013-04-24 17:33:07 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2013-04-17 18:10:48 -------- d-----w- c:\programmi\iPod
2013-04-17 18:10:40 -------- d-----w- c:\programmi\iTunes
2013-04-17 18:10:40 -------- d-----w- c:\documents and settings\all users\dati applicazioni\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-04-17 17:27:45 -------- d-----w- c:\documents and settings\francesca\impostazioni locali\dati applicazioni\Nokia
2013-04-13 18:55:44 -------- d-----w- C:\2c7e25b9c842ffef7b2ac2a411
2013-03-30 16:00:30 5632 ----a-w- c:\windows\system32\ptpusb.dll
2013-03-30 16:00:29 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
==================== Find3M  ====================
.
2013-03-08 08:36:16 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56:52 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 15:56:52 2032128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 16:00:38 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-02 16:00:38 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-02 01:57:49 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:55:09 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 01:55:07 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 01:55:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:08:47 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
.
============= FINISH: 16.43.28,81 ===============
 
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 26/12/2011 21.07.37
System Uptime: 27/04/2013 16.28.26 (0 hours ago)
.
Motherboard: ASUSTeK Computer Inc.         |  | K50IJ     
Processor: Processore Intel Pentium III Xeon | Socket 478 | 2094/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 350,153 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Officejet 4500 G510n-z
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: 4500 G510n-z,192.168.0.9
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet 4500 G510n-z
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 4500 G510n-z
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service: 
.
==== System Restore Points ===================
.
RP89: 03/02/2013 13.01.32 - Punto di arresto del sistema
RP90: 11/02/2013 21.00.47 - Punto di arresto del sistema
RP91: 13/02/2013 18.36.08 - Punto di arresto del sistema
RP92: 17/02/2013 17.46.39 - Punto di arresto del sistema
RP93: 24/02/2013 12.37.18 - Punto di arresto del sistema
RP94: 27/02/2013 19.43.10 - Punto di arresto del sistema
RP95: 01/03/2013 19.40.16 - Punto di arresto del sistema
RP96: 02/03/2013 19.49.09 - Punto di arresto del sistema
RP97: 18/03/2013 5.22.12 - Punto di arresto del sistema
RP98: 24/03/2013 16.52.39 - Software Distribution Service 3.0
RP99: 24/03/2013 21.03.12 - Software Distribution Service 3.0
RP100: 07/04/2013 9.15.05 - Punto di arresto del sistema
RP101: 10/04/2013 20.54.30 - Software Distribution Service 3.0
RP102: 12/04/2013 20.50.22 - Software Distribution Service 3.0
RP103: 13/04/2013 20.53.32 - Software Distribution Service 3.0
RP104: 14/04/2013 3.00.50 - Software Distribution Service 3.0
RP105: 24/04/2013 20.53.18 - Punto di arresto del sistema
RP106: 26/04/2013 19.24.40 - AVG 2013 rimosso
RP107: 26/04/2013 19.26.53 - AVG 2013 rimosso
RP108: 26/04/2013 19.29.55 - Bonjour rimosso
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
4500_G510gm_Help_Web
4500_G510nz_Help
4500G510gm_Software_Min
4500G510gm_web
4500G510nz
4500G510nz_Software_Min
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.6) - Italiano
Aggiornamento della protezione per Step by Step Interactive Training (KB898458)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2510531)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2544521)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2618444)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2647516)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2675157)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2797052)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2809289)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2817183)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB982381)
Aggiornamento della protezione per Windows Media Player  (KB2378111)
Aggiornamento della protezione per Windows Media Player  (KB952069)
Aggiornamento della protezione per Windows Media Player  (KB954155)
Aggiornamento della protezione per Windows Media Player  (KB973540)
Aggiornamento della protezione per Windows Media Player  (KB975558)
Aggiornamento della protezione per Windows Media Player  (KB978695)
Aggiornamento della protezione per Windows Media Player 9  (KB911565)
Aggiornamento della protezione per Windows XP (KB2079403)
Aggiornamento della protezione per Windows XP (KB2115168)
Aggiornamento della protezione per Windows XP (KB2229593)
Aggiornamento della protezione per Windows XP (KB2296011)
Aggiornamento della protezione per Windows XP (KB2347290)
Aggiornamento della protezione per Windows XP (KB2360937)
Aggiornamento della protezione per Windows XP (KB2387149)
Aggiornamento della protezione per Windows XP (KB2393802)
Aggiornamento della protezione per Windows XP (KB2412687)
Aggiornamento della protezione per Windows XP (KB2419632)
Aggiornamento della protezione per Windows XP (KB2423089)
Aggiornamento della protezione per Windows XP (KB2440591)
Aggiornamento della protezione per Windows XP (KB2443105)
Aggiornamento della protezione per Windows XP (KB2476490)
Aggiornamento della protezione per Windows XP (KB2478960)
Aggiornamento della protezione per Windows XP (KB2478971)
Aggiornamento della protezione per Windows XP (KB2479943)
Aggiornamento della protezione per Windows XP (KB2481109)
Aggiornamento della protezione per Windows XP (KB2483185)
Aggiornamento della protezione per Windows XP (KB2485663)
Aggiornamento della protezione per Windows XP (KB2506212)
Aggiornamento della protezione per Windows XP (KB2507618)
Aggiornamento della protezione per Windows XP (KB2507938)
Aggiornamento della protezione per Windows XP (KB2508429)
Aggiornamento della protezione per Windows XP (KB2509553)
Aggiornamento della protezione per Windows XP (KB2510581)
Aggiornamento della protezione per Windows XP (KB2535512)
Aggiornamento della protezione per Windows XP (KB2536276-v2)
Aggiornamento della protezione per Windows XP (KB2544521)
Aggiornamento della protezione per Windows XP (KB2544893-v2)
Aggiornamento della protezione per Windows XP (KB2566454)
Aggiornamento della protezione per Windows XP (KB2567680)
Aggiornamento della protezione per Windows XP (KB2570222)
Aggiornamento della protezione per Windows XP (KB2570947)
Aggiornamento della protezione per Windows XP (KB2584146)
Aggiornamento della protezione per Windows XP (KB2585542)
Aggiornamento della protezione per Windows XP (KB2592799)
Aggiornamento della protezione per Windows XP (KB2598479)
Aggiornamento della protezione per Windows XP (KB2603381)
Aggiornamento della protezione per Windows XP (KB2618444)
Aggiornamento della protezione per Windows XP (KB2618451)
Aggiornamento della protezione per Windows XP (KB2619339)
Aggiornamento della protezione per Windows XP (KB2620712)
Aggiornamento della protezione per Windows XP (KB2621440)
Aggiornamento della protezione per Windows XP (KB2624667)
Aggiornamento della protezione per Windows XP (KB2631813)
Aggiornamento della protezione per Windows XP (KB2633171)
Aggiornamento della protezione per Windows XP (KB2639417)
Aggiornamento della protezione per Windows XP (KB2641653)
Aggiornamento della protezione per Windows XP (KB2646524)
Aggiornamento della protezione per Windows XP (KB2647518)
Aggiornamento della protezione per Windows XP (KB2653956)
Aggiornamento della protezione per Windows XP (KB2655992)
Aggiornamento della protezione per Windows XP (KB2659262)
Aggiornamento della protezione per Windows XP (KB2660465)
Aggiornamento della protezione per Windows XP (KB2661637)
Aggiornamento della protezione per Windows XP (KB2676562)
Aggiornamento della protezione per Windows XP (KB2686509)
Aggiornamento della protezione per Windows XP (KB2691442)
Aggiornamento della protezione per Windows XP (KB2695962)
Aggiornamento della protezione per Windows XP (KB2698365)
Aggiornamento della protezione per Windows XP (KB2705219-v2)
Aggiornamento della protezione per Windows XP (KB2712808)
Aggiornamento della protezione per Windows XP (KB2719985)
Aggiornamento della protezione per Windows XP (KB2723135-v2)
Aggiornamento della protezione per Windows XP (KB2727528)
Aggiornamento della protezione per Windows XP (KB2753842-v2)
Aggiornamento della protezione per Windows XP (KB2757638)
Aggiornamento della protezione per Windows XP (KB2758857)
Aggiornamento della protezione per Windows XP (KB2770660)
Aggiornamento della protezione per Windows XP (KB2778344)
Aggiornamento della protezione per Windows XP (KB2780091)
Aggiornamento della protezione per Windows XP (KB2799494)
Aggiornamento della protezione per Windows XP (KB2802968)
Aggiornamento della protezione per Windows XP (KB2807986)
Aggiornamento della protezione per Windows XP (KB2808735)
Aggiornamento della protezione per Windows XP (KB2813170)
Aggiornamento della protezione per Windows XP (KB2813345)
Aggiornamento della protezione per Windows XP (KB2820917)
Aggiornamento della protezione per Windows XP (KB923561)
Aggiornamento della protezione per Windows XP (KB923789)
Aggiornamento della protezione per Windows XP (KB946648)
Aggiornamento della protezione per Windows XP (KB950762)
Aggiornamento della protezione per Windows XP (KB950974)
Aggiornamento della protezione per Windows XP (KB951376-v2)
Aggiornamento della protezione per Windows XP (KB952004)
Aggiornamento della protezione per Windows XP (KB952954)
Aggiornamento della protezione per Windows XP (KB954459)
Aggiornamento della protezione per Windows XP (KB956572)
Aggiornamento della protezione per Windows XP (KB956744)
Aggiornamento della protezione per Windows XP (KB956802)
Aggiornamento della protezione per Windows XP (KB956844)
Aggiornamento della protezione per Windows XP (KB958644)
Aggiornamento della protezione per Windows XP (KB959426)
Aggiornamento della protezione per Windows XP (KB960803)
Aggiornamento della protezione per Windows XP (KB960859)
Aggiornamento della protezione per Windows XP (KB961501)
Aggiornamento della protezione per Windows XP (KB969059)
Aggiornamento della protezione per Windows XP (KB970430)
Aggiornamento della protezione per Windows XP (KB971657)
Aggiornamento della protezione per Windows XP (KB972270)
Aggiornamento della protezione per Windows XP (KB973507)
Aggiornamento della protezione per Windows XP (KB973869)
Aggiornamento della protezione per Windows XP (KB973904)
Aggiornamento della protezione per Windows XP (KB974112)
Aggiornamento della protezione per Windows XP (KB974318)
Aggiornamento della protezione per Windows XP (KB974392)
Aggiornamento della protezione per Windows XP (KB974571)
Aggiornamento della protezione per Windows XP (KB975025)
Aggiornamento della protezione per Windows XP (KB975467)
Aggiornamento della protezione per Windows XP (KB975560)
Aggiornamento della protezione per Windows XP (KB975562)
Aggiornamento della protezione per Windows XP (KB975713)
Aggiornamento della protezione per Windows XP (KB977816)
Aggiornamento della protezione per Windows XP (KB977914)
Aggiornamento della protezione per Windows XP (KB978338)
Aggiornamento della protezione per Windows XP (KB978542)
Aggiornamento della protezione per Windows XP (KB978601)
Aggiornamento della protezione per Windows XP (KB978706)
Aggiornamento della protezione per Windows XP (KB979309)
Aggiornamento della protezione per Windows XP (KB979482)
Aggiornamento della protezione per Windows XP (KB979687)
Aggiornamento della protezione per Windows XP (KB980436)
Aggiornamento della protezione per Windows XP (KB981322)
Aggiornamento della protezione per Windows XP (KB981997)
Aggiornamento della protezione per Windows XP (KB982132)
Aggiornamento della protezione per Windows XP (KB982665)
Aggiornamento della sicurezza per Microsoft Windows (KB2564958)
Aggiornamento per Windows Internet Explorer 8 (KB2598845)
Aggiornamento per Windows XP (KB2345886)
Aggiornamento per Windows XP (KB2467659)
Aggiornamento per Windows XP (KB2492386)
Aggiornamento per Windows XP (KB2541763)
Aggiornamento per Windows XP (KB2641690)
Aggiornamento per Windows XP (KB2661254-v2)
Aggiornamento per Windows XP (KB2718704)
Aggiornamento per Windows XP (KB2736233)
Aggiornamento per Windows XP (KB2749655)
Aggiornamento per Windows XP (KB951978)
Aggiornamento per Windows XP (KB955759)
Aggiornamento per Windows XP (KB968389)
Aggiornamento per Windows XP (KB971029)
Aggiornamento per Windows XP (KB971737)
Aggiornamento per Windows XP (KB973687)
Aggiornamento per Windows XP (KB973815)
Aggiornamento rapido per Windows XP (KB2633952)
Aggiornamento rapido per Windows XP (KB2779562)
Aggiornamento rapido per Windows XP (KB952287)
Aggiornamento rapido per Windows XP (KB961118)
Apple Mobile Device Support
Apple Software Update
Atheros Client Installation Program
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
µTorrent
BufferChm
CuneiForm OpenOCR
Destinations
DeviceDiscovery
DocMgr
DocProc
Fax
FLV Player
FoxTab FLV Player
Google Chrome
GPBaseService2
High Definition Audio - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510g-m
HP Officejet 4500 G510n-z
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPProductAssistant
HPSSupply
Intel® Graphics Media Accelerator Driver
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java™ 7 Update 5
JavaFX 2.1.1
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Italian Language Pack
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 2.0 - Language Pack (italiano)
Microsoft .NET Framework 2.0 Language Pack - ITA
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access 2007
Microsoft Office Access MUI (Italian) 2007
Microsoft Office Excel 2007
Microsoft Office Excel MUI (Italian) 2007
Microsoft Office File Validation Add-In
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (Italian) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (Italian) 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (Italian) 2007
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft Software Update for Web Folders  (Italian) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
OCR Software by I.R.I.S. 13.0
Pacchetto provider Microsoft servizio crittografia smart card di base
PDF Converter
PDFCreator
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition 
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 
Shop for HP Supplies
Skype™ 5.10
SmartWebPrinting
SolutionCenter
Status
Supporto applicazioni Apple
Toolbox
TrayApp
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
USB 2.0 1.3M UVC WebCam
VLC media player 1.1.11
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
WinRAR 4.20 (32-bit)
.
==== End Of File ===========================
 

 

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-27 16:48:11
-----------------------------
16:48:11.859    OS Version: Windows 5.1.2600 Service Pack 3
16:48:11.859    Number of processors: 2 586 0x170A
16:48:11.859    ComputerName: 81A15D3F04EF432  UserName: Francesca
16:48:12.921    Initialize success
16:54:19.890    AVAST engine defs: 13042700
16:54:24.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:54:24.359    Disk 0 Vendor: ST9500325AS 0002SDM1 Size: 476940MB BusType: 3
16:54:24.500    Disk 0 MBR read successfully
16:54:24.500    Disk 0 MBR scan
16:54:24.531    Disk 0 Windows XP default MBR code
16:54:24.531    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       476929 MB offset 63
16:54:24.546    Disk 0 scanning sectors +976752000
16:54:24.640    Disk 0 scanning C:\WINDOWS\system32\drivers
16:54:38.203    Service scanning
16:54:54.546    Modules scanning
16:54:58.468    Disk 0 trace - called modules:
16:54:58.484    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
16:54:58.484    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a447ab8]
16:54:58.500    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a48a510]
16:54:58.500    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a449940]
16:54:59.812    AVAST engine scan C:\WINDOWS
16:55:18.031    AVAST engine scan C:\WINDOWS\system32
16:58:36.156    AVAST engine scan C:\WINDOWS\system32\drivers
16:59:05.765    AVAST engine scan C:\Documents and Settings\Francesca
17:20:57.859    AVAST engine scan C:\Documents and Settings\All Users
17:22:37.312    Scan finished successfully
17:22:52.281    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Francesca\Desktop\MBR.dat"
17:22:52.296    The log file has been saved successfully to "C:\Documents and Settings\Francesca\Desktop\aswMBR report.txt"
 
 

 



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 27 April 2013 - 10:48 AM

SystemLook
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
 

  • Right-click and Run as Administrator SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Filefind
    *IRUR.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 franzpik

franzpik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 28 April 2013 - 02:24 AM

here the result of SystemKook scan:

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 09:18 on 28/04/2013 by Francesca
Administrator - Elevation successful
 
========== Filefind ==========
 
Searching for "*IRUR.exe"
No files found.
 
-= EOF =-


#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 28 April 2013 - 12:09 PM

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.
 
Disable your AntiVirus and AntiSpyware applications.
 
Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 franzpik

franzpik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 28 April 2013 - 01:01 PM

here the new combofix log:

 

 

ComboFix 13-04-27.04 - Francesca 28/04/2013  19.51.06.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.3037.2521 [GMT 2:00]
Eseguito da: c:\documents and settings\Francesca\Documenti\Downloads\ComboFix.exe
FW: AVG Internet Security 2013 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Creato nuovo punto di ripristino
.
.
(((((((((((((((((((((((((   Files Creati Da 2013-03-28 al 2013-04-28  )))))))))))))))))))))))))))))))))))
.
.
2013-04-27 11:34 . 2013-04-27 11:34 -------- d-----w- c:\windows\system32\NtmsData
2013-04-27 11:14 . 2013-04-27 11:14 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Yahoo!
2013-04-26 18:50 . 2013-04-26 18:50 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\QuickScan
2013-04-26 17:26 . 2013-04-26 17:28 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Avg2013
2013-04-24 17:33 . 2009-05-18 21:49 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2013-04-24 17:33 . 2009-05-18 21:49 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2013-04-24 17:33 . 2009-05-18 21:49 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2013-04-17 18:10 . 2013-04-17 18:10 -------- d-----w- c:\programmi\iPod
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\programmi\iTunes
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Nokia
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\Nokia
2013-04-13 18:55 . 2013-04-13 18:55 -------- d-----w- C:\2c7e25b9c842ffef7b2ac2a411
2013-03-30 16:00 . 2001-08-30 22:07 5632 ----a-w- c:\windows\system32\ptpusb.dll
2013-03-30 16:00 . 2008-04-14 02:13 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 08:36 . 2004-08-19 12:00 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56 . 2004-08-19 15:34 2032128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-07 15:56 . 2004-08-19 12:00 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-02 16:00 . 2012-07-22 18:53 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-02 16:00 . 2012-01-31 17:23 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-02 01:57 . 2005-10-06 03:08 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:55 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 01:55 . 2004-08-19 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 01:55 . 2004-08-19 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:08 . 2004-08-19 12:00 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2011-12-26 19:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-04-13 18:56 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-19 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2012-06-02 880528]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"GoogleChromeAutoLaunch_0F166C2094197AA17B3FA9AAF8587249"="c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe" [2013-04-09 1312720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2012-01-17 252296]
"ATKOSD2"="c:\programmi\ASUS\ATKOSD2\ATKOSD2.exe" [2009-08-17 6859392]
"HControlUser"="c:\programmi\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKHOTKEY"="c:\programmi\ASUS\ATK Hotkey\HControl.exe" [2009-08-12 178816]
"ATKMEDIA"="c:\programmi\ASUS\ATK Media\DMedia.exe" [2009-08-19 170624]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 142360]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"APSDaemon"="c:\programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
OfferBox.lnk - c:\programmi\OfferBox\OfferBox.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Programmi\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\File comuni\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
.
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [29/12/2011 12.08.04 2304]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [20/03/2009 15.21.28 1057280]
S2 SkypeUpdate;Skype Updater;c:\programmi\Skype\Updater\Updater.exe [13/07/2012 14.28.36 160944]
S3 IRUR;IRUR;c:\docume~1\FRANCE~1\IMPOST~1\Temp\IRUR.exe --> c:\docume~1\FRANCE~1\IMPOST~1\Temp\IRUR.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ   HPSLPSVC
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003Core.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003UA.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2013-03-24 21:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-28 19:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ... 
.
scansione entrate autostart nascoste ... 
.
Scansione files nascosti ... 
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(840)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
.
Ora fine scansione: 2013-04-28  19:59:15
ComboFix-quarantined-files.txt  2013-04-28 17:59
ComboFix2.txt  2013-04-27 12:09
.
Pre-Run: 375.743.254.528 byte disponibili
Post-Run: 375.914.106.880 byte disponibili
.
- - End Of File - - 5121D0F94B886C9265462F730B4FEF90


#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 28 April 2013 - 01:08 PM

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::
     
    File::
    c:\programmi\OfferBox\OfferBox.exe
    c:\docume~1\FRANCE~1\IMPOST~1\Temp\IRUR.exe
     

    Driver::
    IRUR

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
     
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

 

Post the new log and let me know how your system is running now.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 franzpik

franzpik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 28 April 2013 - 02:00 PM

Hi Jeff, here the last combofix log

(P.S. in the 5th line of the report "AVG Internet Security 2013" is mentioned, but I uninstalled it 3 days ago...(?))

 

 

 

 

ComboFix 13-04-28.01 - Francesca 28/04/2013  20.44.43.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.3037.2366 [GMT 2:00]
Eseguito da: c:\documents and settings\Francesca\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Francesca\Desktop\CFScript.txt
FW: AVG Internet Security 2013 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\docume~1\FRANCE~1\IMPOST~1\Temp\IRUR.exe"
"c:\programmi\OfferBox\OfferBox.exe"
.
.
(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Driver/Servizi   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IRUR
-------\Service_IRUR
.
.
(((((((((((((((((((((((((   Files Creati Da 2013-03-28 al 2013-04-28  )))))))))))))))))))))))))))))))))))
.
.
2013-04-27 11:34 . 2013-04-27 11:34 -------- d-----w- c:\windows\system32\NtmsData
2013-04-27 11:14 . 2013-04-27 11:14 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Yahoo!
2013-04-26 18:50 . 2013-04-26 18:50 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\QuickScan
2013-04-26 17:26 . 2013-04-26 17:28 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Avg2013
2013-04-24 17:33 . 2009-05-18 21:49 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2013-04-24 17:33 . 2009-05-18 21:49 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2013-04-24 17:33 . 2009-05-18 21:49 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2013-04-17 18:10 . 2013-04-17 18:10 -------- d-----w- c:\programmi\iPod
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\programmi\iTunes
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Nokia
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\Nokia
2013-04-13 18:55 . 2013-04-13 18:55 -------- d-----w- C:\2c7e25b9c842ffef7b2ac2a411
2013-03-30 16:00 . 2001-08-30 22:07 5632 ----a-w- c:\windows\system32\ptpusb.dll
2013-03-30 16:00 . 2008-04-14 02:13 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 08:36 . 2004-08-19 12:00 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56 . 2004-08-19 15:34 2032128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-07 15:56 . 2004-08-19 12:00 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-02 16:00 . 2012-07-22 18:53 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-02 16:00 . 2012-01-31 17:23 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-02 01:57 . 2005-10-06 03:08 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:55 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 01:55 . 2004-08-19 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 01:55 . 2004-08-19 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:08 . 2004-08-19 12:00 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2011-12-26 19:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-04-13 18:56 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-19 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2012-06-02 880528]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"GoogleChromeAutoLaunch_0F166C2094197AA17B3FA9AAF8587249"="c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe" [2013-04-09 1312720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2012-01-17 252296]
"ATKOSD2"="c:\programmi\ASUS\ATKOSD2\ATKOSD2.exe" [2009-08-17 6859392]
"HControlUser"="c:\programmi\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKHOTKEY"="c:\programmi\ASUS\ATK Hotkey\HControl.exe" [2009-08-12 178816]
"ATKMEDIA"="c:\programmi\ASUS\ATK Media\DMedia.exe" [2009-08-19 170624]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 142360]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"APSDaemon"="c:\programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
OfferBox.lnk - c:\programmi\OfferBox\OfferBox.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Programmi\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\File comuni\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
.
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [29/12/2011 12.08.04 2304]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [20/03/2009 15.21.28 1057280]
S2 SkypeUpdate;Skype Updater;c:\programmi\Skype\Updater\Updater.exe [13/07/2012 14.28.36 160944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ   HPSLPSVC
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003Core.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003UA.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2013-03-24 21:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-28 20:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ... 
.
scansione entrate autostart nascoste ... 
.
Scansione files nascosti ... 
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(3944)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\ATKGFNEX\GFNEXSrv.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programmi\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\programmi\iPod\bin\iPodService.exe
c:\programmi\ASUS\ATK Hotkey\ATKOSD.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\ASUS\ATK Hotkey\WDC.exe
c:\windows\system32\wscntfy.exe
c:\programmi\HP\Digital Imaging\bin\hpqSTE08.exe
c:\programmi\HP\Digital Imaging\bin\hpqbam08.exe
c:\programmi\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Ora fine scansione: 2013-04-28  20:52:48 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2013-04-28 18:52
ComboFix2.txt  2013-04-28 17:59
ComboFix3.txt  2013-04-27 12:09
.
Pre-Run: 375.943.073.792 byte disponibili
Post-Run: 375.860.256.768 byte disponibili
.
- - End Of File - - C5E429C9786BFDAC7650E943CB47B06F


#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 28 April 2013 - 02:03 PM

and let me know how your system is running now.

 

 

 

:)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 franzpik

franzpik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 28 April 2013 - 02:04 PM

I forgot to tell you that my notebook works very well now...no more problem with internet connection...let me know If I have to do other checks..thanks a lot! :-)



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 28 April 2013 - 02:08 PM

Good to hear!   :)
 
 
java-1.jpgJava
 
Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:
 
http://java.com/en/download/index.jsp
----------
 
java-1.jpg
See this page for instructions on how to clear java's cache.
 
Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked

    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

----------
 
 
mbam-3.jpg Please download Malwarebytes Anti-Malware to your desktop.

  • Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan as shown below.
     
          MBAM-2.jpg
       
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:
 
Windows 2000 & Windows XP:
C:\Documents and Settings\<USERNAME>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
 
Windows Vista & Win7:
C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
----------
 

ESET Online Scanner
 
Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 franzpik

franzpik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 28 April 2013 - 05:12 PM

Done! Here the reports, and.... my notebook still works very well :-)

 

 

 
 
Malwarebytes Anti-Malware (Prova) 1.75.0.1300
www.malwarebytes.org
 
Versione database: v2013.04.28.04
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Francesca :: 81A15D3F04EF432 [amministratore]
 
Protezione: Attivata
 
28/04/2013 21.28.22
mbam-log-2013-04-28 (21-28-22).txt
 
Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File di sistema | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 238121
Tempo impiegato: 5 minuti, 42 secondi
 
Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)
 
Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)
 
Chiavi di registro rilevate: 4
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Nessuna azione intrapresa.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Nessuna azione intrapresa.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) -> Spostato in quarantena ed eliminato con successo.
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Spostato in quarantena ed eliminato con successo.
 
Valori di registro rilevati: 1
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Dati: f93f08bad9fe885fc272fed5d2a64b00 -> Spostato in quarantena ed eliminato con successo.
 
Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)
 
Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)
 
File rilevati: 2
C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup.exe (PUP.Adware.InstallCore) -> Nessuna azione intrapresa.
C:\Documents and Settings\Francesca\Documenti\Downloads\PDFConverterSetup.exe (Adware.Agent) -> Spostato in quarantena ed eliminato con successo.
 
(fine)
 

 

 

 

 

 

C:\Documents and Settings\Francesca\Desktop\PDFCreator-1_2_3_setup.exe multiple threats
C:\Documents and Settings\Francesca\Desktop\PDFCreator-1_2_3_setup[1].exe multiple threats
C:\Documents and Settings\Francesca\Desktop\Setup_FreeConverter.exe Win32/Toolbar.SearchSuite application
C:\Documents and Settings\Francesca\Desktop\Picchi\Programmi\SoftonicDownloader_per_vlc-media-player.exe Win32/SoftonicDownloader application
C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup (1).exe a variant of Win32/InstallCore.BP application
C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup (2).exe a variant of Win32/InstallCore.BP application
C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup (3).exe a variant of Win32/InstallCore.BH application
C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup.exe a variant of Win32/InstallCore.Q application
C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_cognitive-openocr.exe Win32/SoftonicDownloader.D application
C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_free-mp3-wma-converter.exe a variant of Win32/SoftonicDownloader.E application
C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_pdfcreator (1).exe Win32/SoftonicDownloader.D application
C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_pdfcreator.exe Win32/SoftonicDownloader application
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Babylon\Setup\IECookieLow.dll a variant of Win32/Toolbar.Babylon.E application
C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Babylon\Setup\Setup.exe a variant of Win32/Toolbar.Babylon.E application
C:\Picchi rar\Programmi\tagliare mp3\SoftonicDownloader_per_mp3directcut.exe a variant of Win32/SoftonicDownloader.A application
C:\Programmi\FLVPlayer\FLVPlayer.exe a variant of Win32/InstallCore.A application
C:\Programmi\FLVPlayer\Uninstall\Uninstall.exe a variant of Win32/InstallCore.BH application
C:\Programmi\FoxTabFLVPlayer\FLVPlayer.exe a variant of Win32/InstallCore.A application
C:\Programmi\FoxTabFLVPlayer\Uninstall\Uninstall.exe a variant of Win32/InstallCore.Q application
C:\Programmi\PDFConverter\Uninstall\Uninstall.exe a variant of Win32/InstallCore.BP application
C:\Programmi\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP107\A0051190.dll Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP107\A0051191.dll Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP107\A0051192.dll a variant of Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP107\A0051193.dll Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP107\A0051195.exe probably a variant of Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP108\A0051230.exe Win32/Adware.1ClickDownload.C application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP108\A0051231.exe Win32/Adware.1ClickDownload.C application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP108\A0051232.exe Win32/Adware.1ClickDownload.C application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP108\A0051233.exe Win32/Adware.1ClickDownload application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP108\A0051234.exe Win32/Adware.1ClickDownload application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP108\A0051235.exe Win32/Adware.1ClickDownload.G application
C:\System Volume Information\_restore{B704D914-87A5-462D-9CF5-4E85349955C6}\RP108\A0051660.dll a variant of Win32/Toolbar.CrossRider.A application


#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 28 April 2013 - 07:34 PM

Good to hear...
 
Run Malwarebytes again and this time be sure to remove anything that is found and post the log when it's finished. 
----------

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::
     
    File::
    C:\Documents and Settings\Francesca\Desktop\PDFCreator-1_2_3_setup.exe 
    C:\Documents and Settings\Francesca\Desktop\PDFCreator-1_2_3_setup[1].exe 
    C:\Documents and Settings\Francesca\Desktop\Setup_FreeConverter.exe 
    C:\Documents and Settings\Francesca\Desktop\Picchi\Programmi\SoftonicDownloader_per_vlc-media-player.exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup (1).exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup (2).exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup (3).exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\FLVPlayerSetup.exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_cognitive-openocr.exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_free-mp3-wma-converter.exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_pdfcreator (1).exe 
    C:\Documents and Settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_pdfcreator.exe 
    C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Babylon\Setup\IECookieLow.dll 
    C:\Documents and Settings\Francesca\Impostazioni locali\Dati applicazioni\Babylon\Setup\Setup.exe 
    C:\Picchi rar\Programmi\tagliare mp3\SoftonicDownloader_per_mp3directcut.exe 
    C:\Programmi\FLVPlayer\FLVPlayer.exe 
    C:\Programmi\FLVPlayer\Uninstall\Uninstall.exe 
    C:\Programmi\FoxTabFLVPlayer\FLVPlayer.exe 
    C:\Programmi\FoxTabFLVPlayer\Uninstall\Uninstall.exe 
    C:\Programmi\PDFConverter\Uninstall\Uninstall.exe 
    C:\Programmi\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe 

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
     
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 franzpik

franzpik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 29 April 2013 - 03:02 PM

Hi Jeff, here the last reports, (my PC works very well).

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.04.29.08
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Francesca :: 81A15D3F04EF432 [administrator]
 
Protection: Enabled
 
29/04/2013 21.12.08
mbam-log-2013-04-29 (21-12-08).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 238236
Time elapsed: 5 minute(s), 16 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 

 

 

 

 

ComboFix 13-04-28.01 - Francesca 29/04/2013  21.39.30.5.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.3037.2223 [GMT 2:00]
Eseguito da: c:\documents and settings\Francesca\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Francesca\Desktop\CFScript.txt
FW: AVG Internet Security 2013 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\documents and settings\Francesca\Desktop\PDFCreator-1_2_3_setup.exe"
"c:\documents and settings\Francesca\Desktop\PDFCreator-1_2_3_setup[1].exe"
"c:\documents and settings\Francesca\Desktop\Picchi\Programmi\SoftonicDownloader_per_vlc-media-player.exe"
"c:\documents and settings\Francesca\Desktop\Setup_FreeConverter.exe"
"c:\documents and settings\Francesca\Documenti\Downloads\FLVPlayerSetup (1).exe"
"c:\documents and settings\Francesca\Documenti\Downloads\FLVPlayerSetup (2).exe"
"c:\documents and settings\Francesca\Documenti\Downloads\FLVPlayerSetup (3).exe"
"c:\documents and settings\Francesca\Documenti\Downloads\FLVPlayerSetup.exe"
"c:\documents and settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_cognitive-openocr.exe"
"c:\documents and settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_free-mp3-wma-converter.exe"
"c:\documents and settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_pdfcreator (1).exe"
"c:\documents and settings\Francesca\Documenti\Downloads\SoftonicDownloader_per_pdfcreator.exe"
"c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Babylon\Setup\IECookieLow.dll"
"c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Babylon\Setup\Setup.exe"
"c:\picchi rar\Programmi\tagliare mp3\SoftonicDownloader_per_mp3directcut.exe"
"c:\programmi\FLVPlayer\FLVPlayer.exe"
"c:\programmi\FLVPlayer\Uninstall\Uninstall.exe"
"c:\programmi\FoxTabFLVPlayer\FLVPlayer.exe"
"c:\programmi\FoxTabFLVPlayer\Uninstall\Uninstall.exe"
"c:\programmi\PDFConverter\Uninstall\Uninstall.exe"
"c:\programmi\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe"
.
.
(((((((((((((((((((((((((   Files Creati Da 2013-03-28 al 2013-04-29  )))))))))))))))))))))))))))))))))))
.
.
2013-04-28 19:44 . 2013-04-28 19:44 -------- d-----w- c:\programmi\ESET
2013-04-28 19:26 . 2013-04-28 19:26 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\Malwarebytes
2013-04-28 19:26 . 2013-04-28 19:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2013-04-28 19:26 . 2013-04-28 19:26 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2013-04-28 19:26 . 2013-04-04 12:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-28 19:21 . 2013-04-28 19:21 -------- d-----w- c:\programmi\File comuni\Java
2013-04-28 19:21 . 2013-04-28 19:21 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-04-28 19:21 . 2013-04-28 19:21 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-28 19:21 . 2013-04-28 19:21 -------- d-----w- c:\programmi\Java
2013-04-27 11:34 . 2013-04-27 11:34 -------- d-----w- c:\windows\system32\NtmsData
2013-04-27 11:14 . 2013-04-27 11:14 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Yahoo!
2013-04-26 18:50 . 2013-04-26 18:50 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\QuickScan
2013-04-26 17:26 . 2013-04-26 17:28 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Avg2013
2013-04-24 17:33 . 2009-05-18 21:49 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2013-04-24 17:33 . 2009-05-18 21:49 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2013-04-24 17:33 . 2009-05-18 21:49 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2013-04-17 18:10 . 2013-04-17 18:10 -------- d-----w- c:\programmi\iPod
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\programmi\iTunes
2013-04-17 18:10 . 2013-04-17 18:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Nokia
2013-04-17 17:27 . 2013-04-17 17:27 -------- d-----w- c:\documents and settings\Francesca\Dati applicazioni\Nokia
2013-04-13 18:55 . 2013-04-13 18:55 -------- d-----w- C:\2c7e25b9c842ffef7b2ac2a411
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-28 19:21 . 2012-07-22 19:40 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-28 19:21 . 2012-07-22 19:40 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-08 08:36 . 2004-08-19 12:00 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56 . 2004-08-19 15:34 2032128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-07 15:56 . 2004-08-19 12:00 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-02 16:00 . 2012-07-22 18:53 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-02 16:00 . 2012-01-31 17:23 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-02 01:57 . 2005-10-06 03:08 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:55 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 01:55 . 2004-08-19 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 01:55 . 2004-08-19 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:08 . 2004-08-19 12:00 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2011-12-26 19:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-04-13 18:56 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-19 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2012-06-02 880528]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"GoogleChromeAutoLaunch_0F166C2094197AA17B3FA9AAF8587249"="c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe" [2013-04-09 1312720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKOSD2"="c:\programmi\ASUS\ATKOSD2\ATKOSD2.exe" [2009-08-17 6859392]
"HControlUser"="c:\programmi\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKHOTKEY"="c:\programmi\ASUS\ATK Hotkey\HControl.exe" [2009-08-12 178816]
"ATKMEDIA"="c:\programmi\ASUS\ATK Media\DMedia.exe" [2009-08-19 170624]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 142360]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"APSDaemon"="c:\programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
OfferBox.lnk - c:\programmi\OfferBox\OfferBox.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Programmi\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\File comuni\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
.
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [29/12/2011 12.08.04 2304]
R2 MBAMScheduler;MBAMScheduler;c:\programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe [28/04/2013 21.26.19 418376]
R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [28/04/2013 21.26.19 701512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [28/04/2013 21.26.19 22856]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [20/03/2009 15.21.28 1057280]
S2 SkypeUpdate;Skype Updater;c:\programmi\Skype\Updater\Updater.exe [13/07/2012 14.28.36 160944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ   HPSLPSVC
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003Core.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-117609710-839522115-1003UA.job
- c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-01-03 20:06]
.
2013-04-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2013-03-24 21:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-29 21:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ... 
.
scansione entrate autostart nascoste ... 
.
Scansione files nascosti ... 
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(684)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
.
Ora fine scansione: 2013-04-29  21:42:45
ComboFix-quarantined-files.txt  2013-04-29 19:42
ComboFix2.txt  2013-04-29 19:29
ComboFix3.txt  2013-04-28 18:52
ComboFix4.txt  2013-04-28 17:59
ComboFix5.txt  2013-04-29 19:38
.
Pre-Run: 375.556.186.112 byte disponibili
Post-Run: 375.547.568.128 byte disponibili
.
- - End Of File - - 69765973A74FF75D1E99D20AEFD74280





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users