Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

virus infection, impossible to start :(


  • This topic is locked This topic is locked

#1
tha dj

tha dj

    Member

  • Member
  • PipPip
  • 38 posts
Hi, as usual when I'm in trouble I run back here :)

I have a virus or something like that :)

when I try to boot my computer the first thing that appears is the "user login account" asking for my password, which I never had.
if I just click "ok" the process "userinit.exe" crash and the usual error window of Windows comes out.
unfortunately explorer doesn't run and even if I try to open the Task manager it suddenly crash and close. the only thing I have is an empty desktop.
fortunately (this time) a few month ago I did a small partition to use as a music workstation and I'm able to use that one now, even if the virus has affected it since my last reboot.. it happens the same thing but I managed to avoid the crashes (it doesn't matter how, I think you'ld laugh too much).
So I ran some antispyware such as Avg and superantispyware. they found some cookies and a couple of trojans, but even if they removed them I'm still in the same situation.. I don't know what to do. I can't find the problem to fix it.
I have the logs of superantispyware and HijackThis, but they are pointless coz the most infected OS is the one on the other partition which I can't run for the moment.

do you have any suggestion? do you know what infecte my computer and how to heal it?
please, any help would be really appriciated :)

thanks to everyone for your time.

here are the logs:

SUPERAntiSpyware Scan Log
Generated 10/30/2007 at 08:06 PM

Application Version : 3.6.1000

Core Rules Database Version : 3333
Trace Rules Database Version: 1334

Scan type : Complete Scan
Total Scan Time : 00:44:52

Memory items scanned : 323
Memory threats detected : 0
Registry items scanned : 3284
Registry threats detected : 0
File items scanned : 48932
File threats detected : 6

Adware.Tracking Cookie
F:\Documents and Settings\Michel\Cookies\[email protected][1].txt
F:\Documents and Settings\Michel\Cookies\[email protected][1].txt
F:\Documents and Settings\Michel\Cookies\[email protected][2].txt

Trojan.Net-SpoolW
F:\WINDOWS\SYSTEM32\SPOOLW.EXE

Trace.Known Threat Sources
F:\Documents and Settings\Michel\Impostazioni locali\Temporary Internet Files\Content.IE5\2ZIVA16V\x5s45[1].exe
F:\Documents and Settings\Michel\Impostazioni locali\Temporary Internet Files\Content.IE5\ADZO54NA\text[1].dat




Logfile of HijackThis v1.99.1
Scan saved at 20.57.59, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\Explorer.exe
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\Programmi\Evrsoft\1st Page 2000\Templates\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C85B22AC-0C64-433B-AD26-29EBE051861B}: NameServer = 213.205.32.70 213.205.36.70
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll


thanks again.
  • 0

Advertisements


#2
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello tha dj, and welcome to Geeks to Go! My name is Fredil, and I'm currently looking over your log right now.

Since I'm still in training, there may be a slight delay between my posts, but rest assured that your problem will get solved sooner or later :)
  • 0

#3
tha dj

tha dj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Thanks, I'll be waiting :)
  • 0

#4
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello tha dj :) Let's begin!

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Deckard's System Scanner
------------------------------------------------

Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan.

Note: This program will clear your temporary files.
  • On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan.
  • The entire scanning process will take about five minutes, often less.
  • During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so.
  • Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction.
  • Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply.
On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt.

In your next post
------------------------------------------------
  • DSS main.txt and extra.txt

  • 0

#5
tha dj

tha dj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
HI, you've been incredibly fast :)

by the way, I'm Michel, nice to meet you. tha dj is an orrible nickname I choosed some years ago when I subscribed here :) so feel free to call me by my name if you want. Otherwise if it is easier to remember use my nickname, no matter at all.
now here there are some homeworks for you :)
I run your program on the "almost working" partition, if you need I can try to run it from the one which was infected first but I'm not sure I can do it.. check this logs and see if you find what you need otherwise we will try the other way.
thanks again for your help and your time.


Logs:

Deckard's System Scanner v20071014.68
Run by Michel on 2007-10-31 20:48:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-10-31 19:48:23 UTC - RP29 - Deckard's System Scanner Restore Point
3: 2007-10-31 18:41:01 UTC - RP28 - Punto di arresto del sistema
2: 2007-10-30 18:11:08 UTC - RP27 - Installed SUPERAntiSpyware Free Edition
1: 2007-10-30 13:44:01 UTC - RP26 - Punto di arresto del sistema


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 0.19 GiB (less than 15%) free.


-- HijackThis (run as Michel.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.50.25, on 31/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Michel\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Michel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\Programmi\Evrsoft\1st Page 2000\Templates\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C85B22AC-0C64-433B-AD26-29EBE051861B}: NameServer = 213.205.32.70 213.205.36.70
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 2392 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\programmi\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\programmi\superantispyware\saskutil.sys
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 CnxEtP (Conexant AccessRunner USB ADSL WAN Adapter Filter Driver) - c:\windows\system32\drivers\cnxetp.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxEtU (Conexant AccessRunner USB ADSL Interface Device Driver) - c:\windows\system32\drivers\cnxetu.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxTgN (Conexant AccessRunner USB ADSL WAN Adapter Driver) - c:\windows\system32\drivers\cnxtgn.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>
R3 SASENUM - c:\programmi\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Controller video (compatibile VGA)
Device ID: PCI\VEN_1002&DEV_5955&SUBSYS_30A4103C&REV_00\4&2C0D4F31&0&2808
Manufacturer:
Name: Controller video (compatibile VGA)
PNP Device ID: PCI\VEN_1002&DEV_5955&SUBSYS_30A4103C&REV_00\4&2C0D4F31&0&2808
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Controller del bus di gestione sistema
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_30A4103C&REV_11\3&13C0B0C5&0&A0
Manufacturer:
Name: Controller del bus di gestione sistema
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_30A4103C&REV_11\3&13C0B0C5&0&A0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Controller di rete
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1356103C&REV_02\4&13826118&0&10A4
Manufacturer:
Name: Controller di rete
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1356103C&REV_02\4&13826118&0&10A4
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Controller memoria di massa
Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_30A4103C&REV_00\4&13826118&0&23A4
Manufacturer:
Name: Controller memoria di massa
PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_30A4103C&REV_00\4&13826118&0&23A4
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem PCI
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30A4103C&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: Modem PCI
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30A4103C&REV_02\3&13C0B0C5&0&A6
Service:


-- Files created between 2007-09-30 and 2007-10-31 -----------------------------

2007-10-31 20:50:13 0 d-------- C:\Programmi\Trend Micro
2007-10-31 20:49:29 9728 --a------ C:\sysfels.exe
2007-10-30 19:24:00 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-10-30 19:11:10 0 d-------- C:\Programmi\SUPERAntiSpyware
2007-10-30 19:10:54 0 d-------- C:\Programmi\File comuni\Wise Installation Wizard
2007-10-30 14:06:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-30 13:57:38 0 d-------- C:\Programmi\3B Software
2007-10-29 18:47:16 108675 --a------ C:\WINDOWS\system32\drivers\CnxTgN.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>
2007-10-29 18:47:16 646784 --a------ C:\WINDOWS\system32\drivers\CnxEtU.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
2007-10-29 18:47:16 60288 --a------ C:\WINDOWS\system32\drivers\CnxEtP.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
2007-10-29 18:47:16 118784 --a------ C:\WINDOWS\system32\CnxMfdCo.dll <Not Verified; Conexant Systems, Inc.; Conexant Multifunction Device CoInstaller>
2007-10-29 18:47:16 163840 --a------ C:\WINDOWS\system32\CnxHwIo.dll <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>
2007-10-29 18:47:16 118784 --a------ C:\WINDOWS\system32\CnxClsCo.dll <Not Verified; Conexant Systems, Inc.; Conexant Device Class CoInstaller>
2007-10-29 18:47:16 0 d-------- C:\Programmi\Hamlet HDSL640S USB ADSL Modem


-- Find3M Report ---------------------------------------------------------------

2007-12-08 23:32:40 487936 --a------ C:\WINDOWS\system32\rmbe3260.dll <Not Verified; RealNetworks, Inc.; RealNetworks RealProducer Build Engine (32-bit)>
2007-12-08 23:32:40 87040 --a------ C:\WINDOWS\system32\ra32sipr.dll <Not Verified; RealNetworks, Inc.; RealMedia Shared Component (32-bit)>
2007-12-08 23:32:40 21504 --a------ C:\WINDOWS\system32\ra32dnet.dll <Not Verified; RealNetworks, Inc.; RealAudio™ Shared Component (32-bit)>
2007-12-08 23:32:40 72704 --a------ C:\WINDOWS\system32\ra3228_8.dll <Not Verified; RealNetworks, Inc.; 28.8 Audio Codec for RealAudio™ (32-bit) RealVideo Encoder SDK 5.0>
2007-12-08 23:32:40 81920 --a------ C:\WINDOWS\system32\ra3214_4.dll <Not Verified; RealNetworks, Inc.; 14.4 Audio Codec for RealAudio™ (32-bit) RealVideo Encoder SDK 5.0>
2007-12-08 23:32:40 352768 --a------ C:\WINDOWS\system32\pngu3263.dll <Not Verified; RealNetworks, Inc.; RealPlayer (32-bit)>
2007-12-08 23:32:40 131072 --a------ C:\WINDOWS\system32\pneng50.dll <Not Verified; RealNetworks, Inc.; RealNetworks RealVideo Encoder Engine (32-bit)>
2007-12-08 23:32:40 130560 --a------ C:\WINDOWS\system32\pnc3250.dll <Not Verified; RealNetworks, Inc.; Low-Level API for RealAudio™ Encoder (32-bit)>
2007-12-08 23:32:40 85504 --a------ C:\WINDOWS\system32\encdnet.dll <Not Verified; RealNetworks, Inc.; RealAudio™ Shared Component (32-bit)>
2007-12-08 23:32:40 61952 --a------ C:\WINDOWS\system32\decdnet.dll <Not Verified; RealNetworks, Inc.; RealAudio™ Shared Component (32-bit)>
2007-10-31 00:15:08 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\foobar2000
2007-10-30 20:42:30 345620 --a------ C:\WINDOWS\system32\perfh010.dat
2007-10-30 20:42:30 48012 --a------ C:\WINDOWS\system32\perfc010.dat
2007-10-30 19:11:10 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\SUPERAntiSpyware.com
2007-10-30 19:10:54 0 d-------- C:\Programmi\File comuni
2007-10-30 14:06:42 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\Mozilla
2007-10-29 19:04:27 0 d-------- C:\Programmi\Waves
2007-10-29 19:04:10 0 d-------- C:\Programmi\VstPlugins
2007-10-29 19:03:53 0 d-------- C:\Programmi\Synth1
2007-10-29 18:59:08 0 d-------- C:\Programmi\foobar2000
2007-10-20 20:20:56 467 --a------ C:\WINDOWS\system32\Datei9
2007-10-20 20:20:56 467 --a------ C:\WINDOWS\system32\Datei8
2007-10-20 20:20:56 469 --a------ C:\WINDOWS\system32\Datei7
2007-10-20 20:20:56 465 --a------ C:\WINDOWS\system32\Datei6
2007-10-20 20:20:56 469 --a------ C:\WINDOWS\system32\Datei5
2007-10-20 20:20:56 471 --a------ C:\WINDOWS\system32\Datei4
2007-10-20 20:20:56 470 --a------ C:\WINDOWS\system32\Datei3
2007-10-20 20:20:56 471 --a------ C:\WINDOWS\system32\Datei2
2007-10-20 20:20:56 467 --a------ C:\WINDOWS\system32\Datei10
2007-10-20 20:20:56 470 --a------ C:\WINDOWS\system32\Datei1
2007-10-20 20:20:56 468 --a------ C:\WINDOWS\system32\Datei0
2007-10-19 16:28:58 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\Sonic Foundry
2007-10-19 15:50:14 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\Ableton
2007-09-19 16:24:54 0 d-------- C:\Programmi\Native Instruments
2007-09-08 00:14:29 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\vlc
2007-09-08 00:11:46 0 d-------- C:\Programmi\VideoLAN
2007-08-12 15:18:45 62 --ahs---- C:\Documents and Settings\Michel\Dati applicazioni\desktop.ini
2007-08-12 13:38:46 0 -rahs---- C:\MSDOS.SYS
2007-08-12 13:38:46 0 -rahs---- C:\IO.SYS
2007-08-12 13:38:46 0 --a------ C:\CONFIG.SYS
2007-08-12 13:38:46 0 --a------ C:\AUTOEXEC.BAT
2007-08-12 13:34:42 21840 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Programmi\D-Tools\daemon.exe" [22/08/2004 16.05]
"H2O"="C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe" [11/12/2007 03.59]
"CnxDslTaskBar"="C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe" [02/08/2004 14.17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 14.00]
"Windows Registry Repair Pro"="C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [08/09/2005 22.07]
"SUPERAntiSpyware"="C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [27/02/2007 11.39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmi\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12.55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmi\SUPERAntiSpyware\SASWINLO.dll 27/02/2007 11.39 282624 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll




-- End of Deckard's System Scanner: finished at 2007-10-31 20:50:53 ------------










Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Italian

CPU 0: Mobile AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 510.17 MiB / 289.82 MiB
Pagefile Memory (total/avail): 1247.2 MiB / 1074.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.06 MiB

C: is Fixed (NTFS) - 28.53 GiB total, 0.2 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 46 GiB total, 0.44 GiB free.

\\.\PHYSICALDRIVE0 - TOSHIBA MK8025GAS - 74.53 GiB - 2 partitions
\PARTITION0 - File system installabile - 46 GiB - F:
\PARTITION1 (bootable) - File system installabile - 28.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List"="SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List:*:enabled:@shell32.dll,-1"
"C:\\Documents and Settings\\Michel\\Desktop\\CheckBO.exe"="C:\\Documents and Settings\\Michel\\Desktop\\CheckBO.exe:*:Enabled:Trojan Attack Interceptor"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Michel\Dati applicazioni
CLIENTNAME=Console
CommonProgramFiles=C:\Programmi\File comuni
COMPUTERNAME=MUSIC-94F99F9F
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Michel
LOGONSERVER=\\MUSIC-94F99F9F
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Programmi
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Michel\IMPOST~1\Temp
TMP=C:\DOCUME~1\Michel\IMPOST~1\Temp
USERDOMAIN=MUSIC-94F99F9F
USERNAME=Michel
USERPROFILE=C:\Documents and Settings\Michel
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Michel (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ASIO4ALL --> C:\Programmi\ASIO4ALL v2\uninstall.exe
AudioRealism BassLine VSTi v1.51 --> C:\PROGRA~1\VSTPLU~1\AUDIOR~1\Bassline\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\AUDIOR~1\Bassline\INSTALL.LOG
BassStation --> MsiExec.exe /I{18D03DE2-D142-4A6C-B346-2FA7C8D76A57}
Collab --> C:\Programmi\ASIO4ALL v2\uninstall.exe
Conexant AC-Link Audio --> C:\Programmi\CONEXANT\CNXT_AUDIO\UIU32a.exe -U -ICPL309BA.INF
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
FL Studio 7 --> C:\Programmi\Image-Line\FL Studio 7\uninstall.exe
foobar2000 v0.9.3.1 --> "C:\Programmi\foobar2000\uninstall.exe"
Hamlet HDSL640S USB ADSL WAN Adapter --> C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxUnist.exe -w7 AccessRunner ADSL
IL Download Manager --> C:\Programmi\Image-Line\Downloader\uninstall.exe
Image Line Deckadance VSTi v1.07 --> "C:\Programmi\VstPlugins\Deckadance\Uninstall\unins000.exe"
Live 6.0.1 --> C:\PROGRA~1\Ableton\LIVE60~1.1\Install\UNWISE.EXE C:\PROGRA~1\Ableton\LIVE60~1.1\Install\INSTALL.LOG
Mozilla Firefox (2.0.0.8) --> C:\Programmi\Mozilla Firefox\uninstall\helper.exe
Native Instruments Absynth 3 --> C:\PROGRA~1\NATIVE~1\ABSYNT~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\ABSYNT~1\INSTALL.LOG
Native Instruments Battery 3 --> C:\PROGRA~1\NATIVE~1\BATTER~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\BATTER~1\INSTALL.LOG
Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS --> C:\PROGRA~1\NATIVE~1\FM8\UNWISE.EXE C:\PROGRA~1\NATIVE~1\FM8\INSTALL.LOG
Native Instruments Traktor DJ Studio 3 --> C:\PROGRA~1\NATIVE~1\TRAKTO~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\TRAKTO~1\INSTALL.LOG
Novation V-Station v1.20-H2O --> C:\PROGRA~1\VSTPLU~1\V-STAT~1\V-STAT~1\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\V-STAT~1\V-STAT~1\INSTALL.LOG
Steinberg Hypersonic 2 --> "C:\Programmi\VstPlugins\Hypersonic\Hypersonic Content\unins000.exe"
Steinberg Nuendo v3.2.0.1128 --> C:\PROGRA~1\STEINB~1\NUENDO~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\NUENDO~1\INSTALL.LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Syncrosoft's License Control --> C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
SyncroSoft Emu (Remove only) --> C:\Programmi\SyncroSoft\Pos\H2O\Uninst.exe
Synth1 --> "C:\Programmi\Synth1\setup.exe" /u
Waves 4.0 --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{4C4D25EB-6513-4702-8355-F4194DE2E1D9}\setup.exe" -l0x9
Waves L3 v5.2 --> C:\PROGRA~1\Waves\UNINST~1\UNWISE.EXE C:\PROGRA~1\Waves\UNINST~1\INSTALL.LOG
Windows Registry Repair Pro --> "C:\Programmi\3B Software\Windows Registry Repair Pro\unins000.exe"
WinRAR archiver --> C:\Programmi\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type373 / Error
Event Submitted/Written: 10/30/2007 08:38:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Applicazione che ha provocato l'errore taskmgr.exe, versione 5.1.2600.2180, modulo che ha provocato l'errore unknown, versione 0.0.0.0, indirizzo errore 0x003a03df.
Elaborazione evento specifico al supporto per [taskmgr.exe!ws!] in corso

Event Record #/Type372 / Error
Event Submitted/Written: 10/30/2007 08:37:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Applicazione che ha provocato l'errore userinit.exe, versione 5.1.2600.2180, modulo che ha provocato l'errore unknown, versione 0.0.0.0, indirizzo errore 0x008a03df.
Elaborazione evento specifico al supporto per [userinit.exe!ws!] in corso

Event Record #/Type369 / Error
Event Submitted/Written: 10/30/2007 01:41:28 PM
Event ID/Source: 1004 / Application Error
Event Description:
Applicazione che ha provocato l'errore wuauclt.exe, versione 5.4.3790.2180, modulo che ha provocato l'errore unknown, versione 0.0.0.0, indirizzo errore 0x00fb03df.
Errore durante creazione risultato PEAP-TLV in risposta a PEAP-TLV ricevuto (wuauclt.exe!ld!)

Event Record #/Type368 / Error
Event Submitted/Written: 10/30/2007 01:39:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Applicazione che ha provocato l'errore taskmgr.exe, versione 5.1.2600.2180, modulo che ha provocato l'errore unknown, versione 0.0.0.0, indirizzo errore 0x003a03df.
Elaborazione evento specifico al supporto per [taskmgr.exe!ws!] in corso

Event Record #/Type367 / Error
Event Submitted/Written: 10/30/2007 01:38:55 PM
Event ID/Source: 1000 / Application Error
Event Description:
Applicazione che ha provocato l'errore rundll32.exe, versione 5.1.2600.2180, modulo che ha provocato l'errore unknown, versione 0.0.0.0, indirizzo errore 0x003903df.
Elaborazione evento specifico al supporto per [rundll32.exe!ws!] in corso



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2796 / Error
Event Submitted/Written: 10/30/2007 08:40:16 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
Il servizio Spooler di stampa č terminato in modo imprevisto. Questo problema si č verificato 2 volta/e. Le seguenti azioni di correzione saranno eseguite tra 60000 millisecondi: Riavvia il servizio.

Event Record #/Type2794 / Error
Event Submitted/Written: 10/30/2007 08:38:26 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Interruzione imprevista del servizio Windows User Mode Driver Framework. Questo evento si č gią verificato 1 volta(e).

Event Record #/Type2793 / Error
Event Submitted/Written: 10/30/2007 08:38:18 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
Il servizio Spooler di stampa č terminato in modo imprevisto. Questo problema si č verificato 1 volta/e. Le seguenti azioni di correzione saranno eseguite tra 60000 millisecondi: Riavvia il servizio.

Event Record #/Type2792 / Error
Event Submitted/Written: 10/30/2007 08:38:12 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Interruzione imprevista del servizio Servizio Gateway di livello applicazione. Questo evento si č gią verificato 1 volta(e).

Event Record #/Type2765 / Error
Event Submitted/Written: 10/30/2007 01:40:26 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Interruzione imprevista del servizio Servizio Gateway di livello applicazione. Questo evento si č gią verificato 1 volta(e).



-- End of Deckard's System Scanner: finished at 2007-10-31 20:50:53 ------------

Edited by tha dj, 31 October 2007 - 02:06 PM.

  • 0

#6
tha dj

tha dj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
some news besides the logs I posted:
now I really can't start the infected partition, there's an error message displaying that I could see just disabling the automatic reboot in case of system error. the errore message sounds like: stop c000021a [irreversible system error] windows logon process terminated with status 0x0000005 (0x00000000 0x00000000) the system has been closed.
I translated it from the italian so maybe it isn't perfectly like that.

I'm not a technician, but as the problem concern the windows logon, would it be possible to modify my access by making it automatic from the registry?
I found this: http://support.microsoft.com/kb/315231
would I be able to do it from the other partition? well, would it be a good idea first of all :)?
I'm sure the problem runs much deeper, but this may be a first step to at least start the system which now it's unaccessable.
what do you think?

I'm just trying to help, I'm sure you know perfectly and better then me what we have to do, and I'm not gonna do anything before you tell me what to do. don't worry :)
  • 0

#7
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hi Michel :)

I have a few questions for you... Some might require you to actually do something.
  • Is C: or F: your main drive? You seem to be running the scans on C:\. Just curious, as for most people C:\ is the main drive :)
  • Can you describe more specifically what happens when you try to boot onto the infected drive? Take a photo and upload it somewhere, if it's not too much hassle.
  • On the "user login account" screen, is there an option to Cancel? If so, press that. If not, press Esc or Escape and see if anything happens.
  • How DID you avoid the crashes?
  • If you try to boot in Safe Mode, does explorer.exe load as it should?
  • Finally... what error do you get upon opening Task Manager? If you could, please roughly translate the text in the quotebox below this, since I take French in high school not Spanish :)

Applicazione che ha provocato l'errore taskmgr.exe, versione 5.1.2600.2180, modulo che ha provocato l'errore unknown, versione 0.0.0.0, indirizzo errore 0x003a03df.
Elaborazione evento specifico al supporto per [taskmgr.exe!ws!] in corso


If in any case you can get onto the infected partition and get your Internet, etc. to work, please post a HijackThis log. Sorry for all the questions, but I just can't get this info from your logs.

Also, I'm going to check with my teacher if your idea will work... it seems okay, but I can't be sure.
  • 0

#8
tha dj

tha dj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I'll try to do my best to answer your question:

1) the drive is just one, but it's split in two partition. the main one, which is also the most infected, is C actually. but when I set F, the smaller partition, as the active one it becames C and the other one F. I don't know if I've been clear.. It's like having two girlfriends and they know about each other, but each one thinks to be the most important :). I mean that each time I reboot the computer from my rebootable cd and I change the partition, the one which I'm using recognize it self as C. it doesn't matter if at the beginning C was the biggest one. if I'm using the small one it will think of itself as C anyway. got it?

2)when I boot the infected drive I see the first screen where I can press f8 to go into options etc., then I have the Windows Logo loading and when it's the time for the desktop to come a big blue screen with an error message appears: Posted Image
then I can just manually switch off the computer coz nothing works.

3) the user login account (which I can still see in the almost-not-infected small partition) has the cancel button but it's unavailable..you know, I can't click it. I can't even press escape because it doesn't work and I hear the "beep" sound of the computer. I can only press ok. or put a password but I don't have one, so I just press ok. and it crash! but before it loads my personal settings, even if my desktop never appears.

4) how I avoided the crashes it's a bit rude.. I let the login account crash, then I press ctrl+alt+canc and the task manager appears but it crash too. I don't care and I press it some other times so the task manager appears and stay. The first time I've closed some process that I thought were suspects, but in fact I found out by google that they were normal process.
As I had my desktop empty, just my task manager on it, I've created a new process in the task manager by "file-->new process" and instead of "regedit" I wrote "C:\\" which is non-sense I know, but it works and my desktop appears with all my files and all my process running. and of course an error message with written something incomprihensible but I suppose it means "why tha [bleep] did you wrote C:\\???".
so, that's how I avoided the crashes. at least it's working on my small partition, I did more or less the same on the infected one for the first few times, but then happened what I described before with the picture and I can't do anything.

5)I tried this afternoon to boot in safemode but it didn't worked, the blue error screen came out as usual so the system didn't started.
the only thing I haven't tried yet is to choose the option "start from the last working settings" (or something like that)

6)

* Finally... what error do you get upon opening Task Manager? If you could, please roughly translate the text in the quotebox below this, since I take French in high school not Spanish thumbsup.gif

QUOTE
Applicazione che ha provocato l'errore taskmgr.exe, versione 5.1.2600.2180, modulo che ha provocato l'errore unknown, versione 0.0.0.0, indirizzo errore 0x003a03df.
Elaborazione evento specifico al supporto per [taskmgr.exe!ws!] in corso

it means more or less "the process which did the error is taskmgr.exe, version 5.1.2600.2180, module which provoce the error is unknown, version 0.0.0.0, error adress 0x003a03df. then it says in a difficult way that it's communicating to microsoft support about the error.
so, the point of the message is that the taskmgr.exe crashed :)



I'm sorry my infected partition is unaccessible because I know everything would be much easier with a proper HijackThis log and operating directly on the problem, but the only thing I have is my other partition. a couple of months ago I wouldn't had that one neither :)

I hope you found something useful in my answers.. if I can do more just tell me!

I'll be waiting for news.

bye bye and thanks.


ps: I have a gift for you, the picture of the error message about the userinit.exe process crashing: Posted Image
  • 0

#9
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hmm, that's a decent bit of information... I'll have a fix for you soon, I promise :)
  • 0

#10
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Michel, I think I have an idea... you need your Windows XP CD. Go to this link and follow the instructions in the first post to perform a repair installation of Windows XP. When that is done, tell me if you can boot :) Hopefully the problems are fix-able.
  • 0

Advertisements


#11
tha dj

tha dj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi, I tried to do as you told me and after repairing/reinstalling windows I can reboot, but also during he installation process I had many errors from the rundll process. it seems like it can't start or load.
so my system start, but I can't see anything on my desktop other then the wallpaper.
fortunately the taskmanager works and I can start processes from there. I ran the dss program you gave me some posts ago :)
here there are the logs (both, main and extra) from the infected partition, finally. so enjoy it and let's see if we can get rid of this problem.
thanks again.


Deckard's System Scanner v20071014.68
Run by Michel on 2007-11-04 19:00:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2007-11-04 18:00:28 UTC - RP1 - Deckard's System Scanner Restore Point


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 0.93 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-04 19:01:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Unable to read version
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programmi\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Michel\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio rapido HP Photosmart Premier.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay11...es/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programmi\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programmi\MSN Messenger\msgrapp.8.1.0178.00.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Programmi\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\Programmi\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\Programmi\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\Smc.exe
O23 - Service: Avvisi e registri di prestazioni (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe


--
End of file - 8164 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok®>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
R3 CnxEtP (Conexant AccessRunner USB ADSL WAN Adapter Filter Driver) - c:\windows\system32\drivers\cnxetp.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxEtU (Conexant AccessRunner USB ADSL Interface Device Driver) - c:\windows\system32\drivers\cnxetu.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxTgN (Conexant AccessRunner USB ADSL WAN Adapter Driver) - c:\windows\system32\drivers\cnxtgn.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys (file missing)
S3 SYMIDSCO - c:\progra~1\fileco~1\symant~1\symcdata\idsdefs\20060807.097\symidsco.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 hpqwmi (HP WMI Interface) - c:\programmi\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11b/g WLAN
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1356103C&REV_02\4&13826118&0&10A4
Manufacturer: Broadcom
Name: Broadcom 802.11b/g WLAN
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1356103C&REV_02\4&13826118&0&10A4
Service: BCM43XX


-- Scheduled Tasks -------------------------------------------------------------

2007-11-04 19:00:00 350 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2007-10-04 and 2007-11-04 -----------------------------

2007-11-04 17:43:14 0 d-------- C:\WINDOWS\Prefetch
2007-11-04 17:35:42 0 --a------ C:\CONFIG.SYS
2007-11-04 17:35:42 0 --a------ C:\AUTOEXEC.BAT
2007-10-28 18:55:03 17166 --a------ C:\eyqr.exe
2007-10-28 18:54:55 18092 --a------ C:\uqfcnf.exe
2007-10-28 18:54:14 21504 --a------ C:\WINDOWS\system32\wingsa32.dll


-- Find3M Report ---------------------------------------------------------------

2007-11-04 17:49:13 449714 --a------ C:\WINDOWS\system32\perfh010.dat
2007-11-04 17:49:13 75586 --a------ C:\WINDOWS\system32\perfc010.dat
2007-11-04 17:42:09 0 d-------- C:\Programmi\Movie Maker
2007-11-04 17:30:41 23700 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-11-04 17:28:49 0 d-------- C:\Programmi\Windows NT
2007-10-29 19:29:16 0 d-------- C:\Programmi\OpenOffice.org 2.2
2007-10-29 19:28:14 0 d-------- C:\Programmi\Microsoft Works
2007-10-29 19:24:19 0 d-------- C:\Programmi\KeyScrambler
2007-10-29 19:21:50 0 d-------- C:\Programmi\foobar2000
2007-10-29 19:20:33 0 d-------- C:\Programmi\Easy Internet signup
2007-10-29 19:20:23 0 d-------- C:\Programmi\CoffeeCup Software
2007-10-29 19:20:09 0 d-------- C:\Programmi\Bazooka Scanner
2007-10-29 19:20:09 0 d-------- C:\Programmi\Azureus
2007-10-29 10:18:42 0 d-------- C:\Programmi\PeerGuardian2
2007-10-28 18:56:49 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\foobar2000
2007-10-28 12:56:34 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\Azureus
2007-10-16 00:07:06 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\OpenOffice.org2
2007-10-15 00:36:49 0 d-------- C:\Programmi\iTunes
2007-10-15 00:31:25 0 d--h----- C:\Programmi\InstallShield Installation Information
2007-10-15 00:28:21 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\Skype
2007-09-30 13:50:37 0 d-------- C:\Programmi\Agfa
2007-09-13 01:01:06 0 d-------- C:\Documents and Settings\Michel\Dati applicazioni\dvdcss
2007-09-04 23:37:45 0 d-------- C:\Programmi\iPod


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [27/09/2005 21.05]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [19/06/2005 21.50]
"hpWirelessAssistant"="C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [04/05/2005 10.59]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [14/10/2004 13.54]
"eabconfg.cpl"="C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe" [11/10/2005 16.17]
"Cpqset"="C:\Programmi\HPQ\Default Settings\cpqset.exe" [01/08/2005 14.26]
"Logitech Utility"="Logi_MwX.Exe" [07/11/2003 10.50 C:\WINDOWS\LOGI_MWX.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [17/09/2007 11.27]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [15/11/2005 12.50]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [10/06/2004 11.48]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15/10/2004 17.40]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0\bin\jusched.exe" [22/04/2007 15.50]
"CnxDslTaskBar"="C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe" [02/08/2004 12.17]
"OSSelectorReinstall"="C:\Programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe" [22/02/2007 18.53]
"TrueImageMonitor.exe"="C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [16/02/2007 17.45]
"AcronisTimounterMonitor"="C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [16/02/2007 17.57]
"Acronis Scheduler2 Service"="C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [16/02/2007 17.49]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [14/06/2006 15.24]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [19/08/2004 14.00]
"ATIModeChange"="Ati2mdxx.exe" [27/09/2005 23.42 C:\WINDOWS\system32\Ati2mdxx.exe]
"SRFirstRun"="srclient.dll" [19/08/2004 09.00 C:\WINDOWS\system32\srclient.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Programmi\PeerGuardian2\pg2.exe" [18/09/2005 17.40]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [31/05/2005 00.04]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [19/01/2007 11.54]
"spoolw"="C:\WINDOWS\system32\spoolw.exe" []
"igfxsvc"="C:\WINDOWS\system32\igfxsvc.exe" [19/08/2004 09.00]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22.05.26]
Avvio rapido HP Photosmart Premier.lnk - C:\Programmi\Hp\Digital Imaging\bin\hpqthb08.exe [23/09/2005 23.39.30]
HP Digital Imaging Monitor.lnk - C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe [23/09/2005 22.28.44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
C:\WINDOWS\system32\catsrvut.dll 19/08/2004 14.00 628224 C:\WINDOWS\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger=C:\WINDOWS\w32dbg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
Debugger=C:\WINDOWS\iexplore_32.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
"VoipStunt"="C:\Programmi\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
"Windows Registry Repair Pro"=C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" -atboottime
"AutoTBar"=C:\Documents and Settings\Default User\Menu Avvio\Programmi\Esecuzione automatica\AutoTBar.exe
"HP Software Update"=C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"H2O"=C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe




-- End of Deckard's System Scanner: finished at 2007-11-04 19:03:01 ------------






Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Italian

CPU 0: Mobile AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 510.17 MiB / 213.73 MiB
Pagefile Memory (total/avail): 1244.21 MiB / 990.89 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.73 MiB

C: is Fixed (NTFS) - 46 GiB total, 0.92 GiB free.
D: is CDROM (No Media)
F: is Fixed (NTFS) - 28.53 GiB total, 2.2 GiB free.

\\.\PHYSICALDRIVE0 - TOSHIBA MK8025GAS - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - File system installabile - 46 GiB - C:
\PARTITION1 - File system installabile - 28.53 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: AVG 7.5.488 v7.5.488 (GRISOFT) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\MSN Messenger\\msncall.exe"="C:\\Programmi\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\Messenger\\msmsgs.exe"="C:\\Programmi\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Programmi\\MSN Messenger\\msncall.exe"="C:\\Programmi\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Programmi\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"="C:\\Programmi\\VoipStunt.com\\VoipStunt\\VoipStunt.exe:*:Enabled:VoipStunt"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Assistenza remota - Windows Messenger e conversazione"
"C:\\Documents and Settings\\Michel\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Michel\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Programmi\\Grisoft\\AVG7\\avginet.exe"="C:\\Programmi\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Programmi\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Programmi\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Programmi\\Grisoft\\AVG7\\avgcc.exe"="C:\\Programmi\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Programmi\\Grisoft\\AVG7\\avgemc.exe"="C:\\Programmi\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Programmi\\uTorrent\\utorrent.exe"="C:\\Programmi\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programmi\\Azureus\\Azureus.exe"="C:\\Programmi\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Programmi\\Joost\\xulrunner\\tvprunner.exe"="C:\\Programmi\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Programmi\\MessengerDiscovery\\MessengerDiscovery Live.exe"="C:\\Programmi\\MessengerDiscovery\\MessengerDiscovery Live.exe:*:Enabled:MessengerDiscovery Live the Windows Live Messenger addon"
"C:\\Programmi\\Skype\\Phone\\Skype.exe"="C:\\Programmi\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Programmi\\iTunes\\iTunes.exe"="C:\\Programmi\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\\DOCUME~1\\Michel\\IMPOST~1\\Temp\\winC6.tmp.exe"="C:\\DOCUME~1\\Michel\\IMPOST~1\\Temp\\winC6.tmp.exe:*:Enabled:winC6.tmp"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Michel\Dati applicazioni
CLIENTNAME=Console
CommonProgramFiles=C:\Programmi\File comuni
COMPUTERNAME=PC276201175021
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Michel
LANG=it
LOGONSERVER=\\PC276201175021
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Programmi\ATI Technologies\ATI Control Panel;C:\Programmi\File comuni\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Programmi
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Programmi\File comuni\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Michel\IMPOST~1\Temp
TMP=C:\DOCUME~1\Michel\IMPOST~1\Temp
USERDOMAIN=PC276201175021
USERNAME=Michel
USERPROFILE=C:\Documents and Settings\Michel
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Michel (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUn0410.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1st Page 2000 2.00 Free --> C:\WINDOWS\IsUninst.exe -f"C:\Programmi\Evrsoft\1st Page 2000\Uninst.isu"
Acronis Disk Director Suite --> MsiExec.exe /X{2300EE96-0A41-4FAB-BD03-989EC44577A0}
Acronis True Image Home --> MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Agfa ScanWise 1.02 --> C:\WINDOWS\IsUn0410.exe -f"C:\Programmi\Agfa\ScanWise 1_02\uninst.isu"
Aggiornamento della protezione per Step by Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Aggiornamento della protezione per Step by Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Alleycode HTML Editor 2.16.2 --> C:\Programmi\Alleycode\unins000.exe
ASIO4ALL --> C:\Programmi\ASIO4ALL v2\uninstall.exe
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x10
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Programmi\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Azureus --> C:\Programmi\Azureus\Uninstall.exe
Bazooka Scanner --> "C:\Programmi\Bazooka Scanner\Uninstall.exe" "C:\Programmi\Bazooka Scanner\install.log"
Bit Che --> "C:\Programmi\Bit Che\unins000.exe"
CDex extraction audio --> "C:\Programmi\CDex_150\uninstall.exe"
Cleanse Uninstaller 2.57 --> C:\Programmi\Zards software\Cleanse Uninstaller\uninst.exe
CleanUp! --> C:\Programmi\CleanUp!\uninstall.exe
CoffeeCup Free HTML Editor --> C:\PROGRA~1\COFFEE~1\COFFEE~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\COFFEE~1\INSTALL.LOG
CoffeeCup HTML Editor 2007 --> C:\PROGRA~1\COFFEE~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\INSTALL.LOG
Conexant AC-Link Audio --> C:\Programmi\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -ICPL309BA.INF
Dexpot 1.4 --> "C:\Programmi\Dexpot\uninstall.exe"
DivX Web Player --> C:\Programmi\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMule --> "C:\Programmi\eMule\Uninstall.exe"
foobar2000 v0.9.3.1 --> "C:\Programmi\foobar2000\uninstall.exe"
GTK+ 2.8.18-1 runtime environment --> "C:\Programmi\File comuni\GTK\2.0\unins000.exe"
Hamlet HDSL640S USB ADSL WAN Adapter --> C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxUnist.exe -w7 AccessRunner ADSL
HP Fotocamere Photosmart 6.0 --> C:\Programmi\HP\Digital Imaging\{7C4730D3-855A-4e5e-8763-A93B52C7A94E}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Help and Support --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x10 -removeonly
HP Imaging Device Functions 6.0 --> C:\Programmi\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.0 --> C:\Programmi\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Programmi\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP User Guides 0008 --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{43A6AA2A-74B5-4E1C-91DB-ECB2F99D9ED7}\setup.exe" -l0x10 -removeonly
HP Wireless Assistant 1.01 C1 --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x10 hpquninst
IL Download Manager --> C:\Programmi\Image-Line\Downloader\uninstall.exe
InterVideo WinDVD --> "C:\Programmi\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iPod for Windows 2006-06-28 --> C:\Programmi\File comuni\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1040
IsoBuster 2.0 --> "C:\Programmi\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1040
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
JAP --> C:\Programmi\JAP\uninstall.exe
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Joost ™ 0.10.1 --> C:\Programmi\Joost\uninst.exe
KeyScrambler --> C:\Programmi\KeyScrambler\uninstall.exe
Logitech MouseWare 9.79 --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x10 -l0010 UNINSTALL
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Messenger Plus! Live --> "C:\Programmi\Messenger Plus! Live\Uninstall.exe"
MessengerDiscovery Live 1.3.0310 --> "C:\Programmi\MessengerDiscovery\unins000.exe"
Microsoft Works --> MsiExec.exe /I{D7319E81-08C5-4E16-9F75-752818893551}
Mozilla Firefox (2.0.0.8) --> C:\Programmi\Mozilla Firefox\uninstall\helper.exe
Nero 7 Ultra Edition --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
Norton PartitionMagic 8.0 --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
OpenOffice.org 2.2 --> MsiExec.exe /I{04939713-12F2-4B28-B8C2-EA638E6D0E12}
Pannello di controllo ATI --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
PeerGuardian 2.0 --> "C:\Programmi\PeerGuardian2\unins000.exe"
Quick Launch Buttons 5.20 D2 --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x10 -uninst
Real Alternative 1.51 --> "C:\Programmi\Real Alternative\unins000.exe"
Skype 2.5 --> "C:\Programmi\Skype\Phone\unins000.exe"
Soft Data Fax Modem with SmartCP --> C:\Programmi\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378\HXFSETUP.EXE -U -Icpl309bk.inf
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Charge µTonic VSTi v2.0.1 --> C:\PROGRA~1\VSTPLU~1\SONICC~1\MICROT~1\MICROT~1\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\SONICC~1\MICROT~1\MICROT~1\INSTALL.LOG
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic Foundry Sound Forge 6.0 --> MsiExec.exe /I{62FC357F-022B-4F90-9376-7A0DF9FBE7A1}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SoulSeek Client 156c --> "C:\Programmi\Soulseek\uninstall.exe"
Spybot - Search & Destroy 1.4 --> "C:\Programmi\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.4 --> "C:\Programmi\SpywareBlaster\unins000.exe"
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Programmi\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Syncrosoft's License Control --> C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
SyNTHEMA PeTra per Word --> C:\Petrawd\UNINSTALL.EXE C:\Petrawd\INSTALL.LOG
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FF6F491D-BC82-4DCC-A72F-1824957C6466} /l1040
The GIMP 2.2.13 --> "C:\Programmi\GIMP-2.0\unins000.exe"
Traduttore Garzanti --> "C:\Programmi\TG 6.0\RunExe.exe" "C:\Documents and Settings\Michel\Impostazioni locali\Temp\Rar$EX03.156\traduttore garzanti 6.0 pro inglese italiano\TGPro\Install.exe"
TVUPlayer 2.3.0.0 --> C:\Programmi\TVUPlayer\uninst.exe
Ulead GIF Animator 2.0 Full Version --> C:\WINDOWS\IsUninst.exe -f"C:\Programmi\Ulead GIF Animator 2.0\Ga20f.isu"
USB PC Camera (SN9C102) --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{57383270-6F61-4DC8-A9B8-C1745FC29F38}\Setup.exe" -l0x9
versione 0.4 Beta --> "C:\Programmi\Mediacenter\unins000.exe"
VideoLAN VLC media player 0.8.4a --> C:\Programmi\VideoLAN\VLC\uninstall.exe
VoipStunt --> "C:\Programmi\VoipStunt.com\VoipStunt\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{A511414C-4846-4630-8AC0-B156D8CB1FC0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Registry Repair Pro --> "C:\Programmi\3B Software\Windows Registry Repair Pro\unins000.exe"
WinPatrol --> C:\WINDOWS\uninst.exe -f"C:\Programmi\BillP Studios\WinPatrol\DeIsL1.isu" -c"C:\Programmi\BillP Studios\WinPatrol\_ISREG32.DLL"
WinRAR archiver --> C:\Programmi\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9704 / Error
Event Submitted/Written: 11/04/2007 07:02:23 PM
Event ID/Source: 100 / AVG7
Event Description:
2007-11-04 18:02:23,593 PC276201175021 [001460:001480] ERROR 000 AVG7.AM.events.IpReport handling of message reported by Resident Shield failed: Error 0x80004002

Event Record #/Type9703 / Error
Event Submitted/Written: 11/04/2007 07:02:16 PM
Event ID/Source: 100 / AVG7
Event Description:
2007-11-04 18:02:16,906 PC276201175021 [001460:001480] ERROR 000 AVG7.AM.events.IpReport handling of message reported by Resident Shield failed: Error 0x80004002

Event Record #/Type9702 / Error
Event Submitted/Written: 11/04/2007 07:02:09 PM
Event ID/Source: 100 / AVG7
Event Description:
2007-11-04 18:02:09,421 PC276201175021 [001460:001480] ERROR 000 AVG7.AM.events.IpReport handling of message reported by Resident Shield failed: Error 0x80004002

Event Record #/Type9701 / Error
Event Submitted/Written: 11/04/2007 07:02:05 PM
Event ID/Source: 100 / AVG7
Event Description:
2007-11-04 18:02:05,390 PC276201175021 [001460:001480] ERROR 000 AVG7.AM.events.IpReport handling of message reported by Resident Shield failed: Error 0x80004002

Event Record #/Type9700 / Error
Event Submitted/Written: 11/04/2007 07:02:03 PM
Event ID/Source: 100 / AVG7
Event Description:
2007-11-04 18:02:03,062 PC276201175021 [001460:001480] ERROR 000 AVG7.AM.events.IpReport handling of message reported by Resident Shield failed: Error 0x80004002



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type34344 / Error
Event Submitted/Written: 11/04/2007 05:44:11 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
All'avvio non č stato possibile caricare i seguenti driver:
sptd

Event Record #/Type34343 / Error
Event Submitted/Written: 11/04/2007 05:44:11 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio Guida in linea e supporto tecnico non č stato avviato per il seguente errore:
%%1083

Event Record #/Type34342 / Error
Event Submitted/Written: 11/04/2007 05:44:11 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio AVG E-mail Scanner non č stato avviato per il seguente errore:
%%5

Event Record #/Type34341 / Error
Event Submitted/Written: 11/04/2007 05:44:11 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio AVG7 Update Service non č stato avviato per il seguente errore:
%%5

Event Record #/Type34340 / Error
Event Submitted/Written: 11/04/2007 05:44:11 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio Nsynas32 non č stato avviato per il seguente errore:
%%2



-- End of Deckard's System Scanner: finished at 2007-11-04 19:03:01 ------------
  • 0

#12
tha dj

tha dj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
well, checking around somes of the suspicious names in the hijackthis log, I found that maybe I'm infected by the trojan.downloader.win32.tiny.hi or Generic.Malware.Sdld!!.FC6069F or trojan.win32.small.LQ.
that's because the strange programs I found were: EYQR.EXE and UQFCNF.EXE which I already erased in a moment of fear.. I'm sorry for csi if they wanted to analize on them.
then I found in the log SPOOLW.EXE and IGFXSVC.EXE which seems to be related to those programs and to be my f$%&//% virus.
by the way there are also this two things

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger=C:\WINDOWS\w32dbg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
Debugger=C:\WINDOWS\iexplore_32.exe

which could be part of my problem and, as I read on a website, could reactivate the other 2 files.

last but not least, my first partition isn't able to reboot as usual. after I did as you told me to repair windows by its disc, it has worked only for once and now I'm in the same situation I was at the beginning.
BUT!!!! I know it doesn't start because he show the error message about the windows logon and [bleep] like that.. and in my hijackthis' log the last object is C:\WINDOWS\system32\smlogsvc.exe which is the microsoft alert service. if I can disable it, mabybe I can reboot the computer.
However, I think the only way to get rid of this malware is to erase thoose HKEYS I wrote before, but as I can't run Hijackthis on the infected partition and for the same reason I can't access my regestry from "Start-->run-->regedit" on that partition, I need you to tell me how can I access the registry from This partition or how can I manually erase those objects!!

please, answer as fast as you can. I know you're doing me a favour and everyone has his own life, but I'm fighting with this virus for a week already. I'm trying myself to find solutions and to suggest them to you coz I know this virus is nasty and no-one has too much time to dedicate. just check if what I said is possible and give me some hint.
Thanks a lot to everyone :)
  • 0

#13
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,493 posts
Hi, tha dj :)

Fredil Yupigo is not avilable at this time. I will be assisting you.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\eyqr.exe
    C:\uqfcnf.exe
    C:\WINDOWS\system32\wingsa32.dll
    C:\WINDOWS\system32\spoolw.exe
    C:\WINDOWS\w32dbg.exe
    C:\WINDOWS\iexplore_32.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#14
tha dj

tha dj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi JSntgrvr,
I'm gonna do everything you said, but first I have to ask you something: I have erased those file you mention in the path I should copy/paste, but I still have them in my trashbin..should I replace them before using the OTmoveit?

probably you know it, but I want to remind you that I'm working on a safe partition of my computer and the infected one is another. will these programs do their job anyway or they need to be installed on the infected partition? so, it's enough to use as path for those infected files we mentioned before, F:\eyqr insead of C:\eyqr, or the programs must run from the the infected OS?

thanks for your help, it's really appreciated :)
  • 0

#15
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,493 posts

Hi JSntgrvr,
I'm gonna do everything you said, but first I have to ask you something: I have erased those file you mention in the path I should copy/paste, but I still have them in my trashbin..should I replace them before using the OTmoveit?

probably you know it, but I want to remind you that I'm working on a safe partition of my computer and the infected one is another. will these programs do their job anyway or they need to be installed on the infected partition? so, it's enough to use as path for those infected files we mentioned before, F:\eyqr insead of C:\eyqr, or the programs must run from the the infected OS?

thanks for your help, it's really appreciated :)

Please answer these questions one by one:

1. Why can't you boot into the infected partition?

a. What is the error message?

2. Do you have a dual boot deal?

a. Do you have to go throughout the dual boot menu to boot on you current partition.

3. When you are logged onto the current partition:

a. which drive is your current (bootable partition)?
b. which drive appears to be the infected partition?


We can't work on an parallel installation to the infected partition as the tools we use only read the drive (Partition) where the system is installed and running from.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP