[tha dj]

1. Why can't you boot into the infected partition?

a. What is the error message?

I can't boot because I have an error message about the windows logon which could be translated (the message is in italian ) stop c000021a [irreversible system error] windows logon process terminated with status 0x0000005 (0x00000000 0x00000000) the system has been closed.
if you take a look in the previous posts I uploaded a screenshot of the blue screen that comes out.

2. Do you have a dual boot deal?

a. Do you have to go throughout the dual boot menu to boot on you current partition.

I'm not sure about what you mean.. I can tell you that I did my partions with the Acronis program and I have a rebootable disk that loads before the OS so I can choose which partition to activate. no deal about it. I can jump to the partition I prefer.
the problem is only about the infected one which can't boot even in safe mode.

3. When you are logged onto the current partition:

a. which drive is your current (bootable partition)?
b. which drive appears to be the infected partition?

when I'm on the safe one C is my current drive and F the infected one.

We can't work on an parallel installation to the infected partition as the tools we use only read the drive (Partition) where the system is installed and running from.

I understand and I was afraid about this.. anyway Fredil, the guy who was helping me before, suggested me to repair my Windows XP from its installing disk; I did it and I had many error messages about the process rundll.exe that couldn't start or something like that. the result was that the partition booted but I was without the desktop (the problem that belongs those infected "explorer.exe" files), even if the task manager was working and so I was able to run whatever program I had on my drive.
after that first time, I ran into the same problem of the error at the booting time, but let's say I try again to repair my XP, if the partition works even just one time I can install and run those program or HijackThis to find and fix those infected files!!! I think it can work.
The last time I booted into the infected partition after repairing it with the installation disk of XP I could, by the taskmanager, run the DSS program and copy and paste the logs into my safe drive.
actually, as I don't hide the infected drive, I can always access any file I have by the safe one.

so what do you say?
should I try to repair by the windows disk the infected partition and then run your programs there? once I'm there, as it is a one shot chance, wouldn't be possible to erase those infected files at the time, without reporting here logs and stuff to look at them and then decide later, etc.... coz you know, it takes 1 hour each time I use the windows disk


I hope I've been clear. this things aren't very easy for me and to explain them in english it's even more difficult. I hope my english wasn't that bad

thanks for your patience and your help

[Advertisements]

Hi, tha dj

When you ran Deckard's Scanner, the registry hives of the infected partition were backed-up.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the following folder (Note that we are working on the F:\ drive, which according to your last reply, is the infected partition):

F:\WINDOWS\ERDNT\dss


In that folder you will find the following files:

default
sam
system
software

Please copy these files (Edit->Select All->Edit->copy) into the following folder:

F:\WINDOWS\system32\config

Replace the existing files therein.

Once done, close all windows and restart the computer.

Please attempt to logon to the infected partition. If successful, please run Combofix as requested above.

[JSntgRvr]

Hi, tha dj

When you ran Deckard's Scanner, the registry hives of the infected partition were backed-up.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the following folder (Note that we are working on the F:\ drive, which according to your last reply, is the infected partition):

F:\WINDOWS\ERDNT\dss


In that folder you will find the following files:

default
sam
system
software

Please copy these files (Edit->Select All->Edit->copy) into the following folder:

F:\WINDOWS\system32\config

Replace the existing files therein.

Once done, close all windows and restart the computer.

Please attempt to logon to the infected partition. If successful, please run Combofix as requested above.

[tha dj]

inally, my dear friend, I'm writing from my former infected partition!
well, we don't know yet, let's just say that now I can control everything and I have my desktop back.

I'll tell you what happened:
I copied those file from the DSS folder into the Config folder of F but when I tried to boot the infected partition everything was the same, not working.
so I ran the windows cd and I restored/repaired windows xp hoping it was working like it did last time I used this trick and actually it did what I expected, it started but I was without the desktop. the taskmanager was working, so I thought to use combofix as you told me but I couldn't remember the instruction you gave me and even if I copied them on .txt file I wasn't able to open it by the task manager.
I knew I couldn't go back to the safe partition, read your instruction and come back to the infected one coz I'ld have to do again the repairing from the windows disk (so another hour)..
I tried one last chance while I was on the infected partition: I opened the registry (which I couldn't access before) and I looked for the keys "[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger=C:\WINDOWS\w32dbg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
Debugger=C:\WINDOWS\iexplore_32.exe"

I found them and I erased them (I read on the internet that this 2 keys were recalling explorer infecting it and causing my problems..but I already wrote it some posts ago).
then I rebooted and everything seems to be fine.

I can't be sure of being safe, even if I took a look at the Hijackthis log and it looks like clean.
would you take a look as well, please?

some other programs to see if everything is ok?
I ran combofix and I have the log, but for some uncertain reasons I can't access the .txt files (neither Avg ) so I try to attach the log file of combofix, then you'll see.

please, tell me what to do and I think we will have finished

Thanks again for your help and your patience

Ps: one last thing, on the safe partition I still have a couple of problems that came together with the virus: I'm asked for a password at the start up, but I never choosed that option..however if I click ok everything run as usual.
another thing is that I can't use my taskbar/traybar (I don't remember how it's called in english), I can't click it! any suggestion?


here there is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.14.54, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\PeerGuardian2\pg2.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\OpenOffice.org 2.2\program\soffice.exe
C:\Programmi\OpenOffice.org 2.2\program\soffice.BIN
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio rapido HP Photosmart Premier.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay11...es/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEAD73A8-A740-46B0-A53E-AEC7698DBEA4}: NameServer = 213.205.32.70 213.205.36.70
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Gestione sessione di assistenza mediante desktop remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe

--
End of file - 7961 bytes

the only strange thing I can see is that "O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe" which means administrative service of drive management (or something like that) and it maybe guilty of my restricted access to some files.. don't know.


Ps: one last thing, on the safe partition I still have a couple of problems that came together with the virus: I'm asked for a password at the start up, but I never choosed that option..however if I click ok everything run as usual.
another thing is that I can't use my taskbar/traybar (I don't remember how it's called in english), I can't click it! any suggestion?

Attached Files

•  ComboFix.txt   8.75KB   132 downloads

[JSntgRvr]

Hi, tha dj

I am glad there has been some progress.

You can use the following steps to enable automatic logon:

1. Click Start, and then click Run.
2. In the Open box, type: control userpasswords2 , and then click OK.
3. In the dialog box that appears, clear the "Users must enter a user name
and password to use this computer" check box, and then click OK.

While holding down the Shift key, right click on a text file (.txt) and select "Open With". Select Notepad from the list of programs and put a checkmark on "Always use this program.....". That should establish an association with Notepad.

Download the enclosed file and save it to the desktop. It is a .txt file (CFScript.txt).





Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along witha fresh Hijackthis log.

Edited by JSntgRvr, 10 November 2007 - 11:32 AM.

[JSntgRvr]

Ps: one last thing, on the safe partition I still have a couple of problems that came together with the virus: I'm asked for a password at the start up, but I never choosed that option..however if I click ok everything run as usual.
another thing is that I can't use my taskbar/traybar (I don't remember how it's called in english), I can't click it! any suggestion?

As soon as we finish with one partition, we will take care of the other one.

[tha dj]

so, combofix did what he had to do but I didn't looked at it, I went to smoke a cigarette and when I came back the system was restarted..
I'll let you judge if what you hoped actually happened.
I have to attach again the combofix's log as I still can't open txt files.. I did as you told me, open with notepad etc. but he didn't allowed me to do it..always saying I don't have the rights to access it or it's already in use..I think you know what I'm talking about.
instead I have a little new question: winpatrol detected a file change after I ran combofix about the file HOSTS (located: c:\windows\system32\ drivers\ etc\hosts) should I accept the change or it wansn't supposed to happen?

Anyway here it is what you asked for, the two logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.22.52, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\PeerGuardian2\pg2.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio rapido HP Photosmart Premier.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay11...es/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Gestione sessione di assistenza mediante desktop remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe

--
End of file - 7777 bytes

thanks

Attached Files

•  ComboFix2.txt   8.75KB   170 downloads

[JSntgRvr]

Hi, tha dj

That is the same log you submitted earlier. Please Boot in Safe Mode and logon under your usual account. See if you can open .txt files. If not, boot in Safe Mode once again. This time logon as Administrator and test. The Combofix log should have a heading with a line similar to the one below:

Command switches used :: C:\Documents and Settings\UserName\Desktop\CFScript.txt

I need also to know if you are able to open .txt files on your usual account in Safe Mode.

[tha dj]

I tried everything you said and it seems I can't open the .txt files in both my accounts, administrator and user. even if I do "open with.." I have to search manually for the notepad.exe because it's not listed between the programs I should choose. when I choose it the system just don't care, it's like I never choose it. but if I open the notepad.exe and then I go into "file-->open" I can open whatever file.. I hope you understood my difficult explanation
new problem!! it's getting worse.. all application like accessories of microsoft (such as Wordpad, calculator, etc.) are impossible to open. well, they open something else. if I try to open the wordpad comes out a "telephonic connection" something.. if I open the calculator it's another application that starts, etc. avgcc.exe disappeared. who's playing with me? should I ran some kind of program to see if my pc has been hacked or accessed by someone? sygate detected sometimes ports scan, but it's quite usual.. what do you think?
I ran again combofix so here it is the log: (if something is in italian and you don't understand, just ask and I'll translate. then find someone who can translate my english to yours )

ComboFix 07-11-08.1 - Michel 2007-11-11 16.56.08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.194 [GMT 1:00]
Eseguito da: C:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michel\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

FILE
C:\WINDOWS\system32\wingsa32.dll
.

((((((((((((((((((((((((( Files Creati Da 2007-10-11 al 2007-11-11 )))))))))))))))))))))))))))))))))))
.

2007-11-11 14:45 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-11 14:40 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\OpenOffice.org2
2007-11-11 14:34 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\AVG7
2007-11-11 14:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2007-11-11 14:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2007-11-11 14:29 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2007-11-11 14:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2007-11-11 14:29 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2007-11-11 14:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2007-11-11 14:29 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2007-11-11 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Symantec
2007-11-11 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Apple Computer
2007-11-11 14:29 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2007-11-10 16:12 <DIR> d-------- C:\Programmi\Trend Micro
2007-11-10 15:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 14:26 1,539,258 --a------ C:\ComboFix.exe
2007-11-10 13:35 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-11-10 13:35 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-11-04 19:00 <DIR> d-------- C:\Deckard
2007-10-19 15:53 1,602,742 --a------ C:\foobar2000_0.9.3.1.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 15:54 --------- d-----w C:\Programmi\PeerGuardian2
2007-11-11 13:00 --------- d-----w C:\Documents and Settings\Michel\Dati applicazioni\Azureus
2007-11-11 09:43 --------- d-----w C:\Programmi\Ulead GIF Animator 2.0
2007-11-11 09:43 --------- d-----w C:\Programmi\TG 6.0
2007-11-11 09:43 --------- d-----w C:\Programmi\SpywareBlaster
2007-11-11 09:43 --------- d-----w C:\Programmi\Soulseek
2007-11-11 09:43 --------- d-----w C:\Programmi\Microsoft Works
2007-11-11 09:43 --------- d-----w C:\Programmi\MessengerDiscovery
2007-11-11 09:43 --------- d-----w C:\Programmi\IrfanView
2007-11-11 09:42 --------- d-----w C:\Programmi\eMule
2007-11-11 09:42 --------- d-----w C:\Programmi\Easy Internet signup
2007-11-11 09:42 --------- d-----w C:\Programmi\CoffeeCup Software
2007-11-11 09:42 --------- d-----w C:\Documents and Settings\LocalService\Dati applicazioni\AVG7
2007-11-10 20:16 --------- d-----w C:\Documents and Settings\Michel\Dati applicazioni\foobar2000
2007-11-10 15:00 --------- d-----w C:\Documents and Settings\Michel\Dati applicazioni\OpenOffice.org2
2007-11-10 13:24 --------- d-----w C:\Documents and Settings\Michel\Dati applicazioni\AVG7
2007-10-29 18:29 --------- d-----w C:\Programmi\OpenOffice.org 2.2
2007-10-29 18:24 --------- d-----w C:\Programmi\KeyScrambler
2007-10-29 18:21 --------- d-----w C:\Programmi\foobar2000
2007-10-29 18:20 --------- d-----w C:\Programmi\Bazooka Scanner
2007-10-29 18:20 --------- d-----w C:\Programmi\Azureus
2007-10-14 23:36 --------- d-----w C:\Programmi\iTunes
2007-10-14 23:31 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-10-14 23:28 --------- d-----w C:\Documents and Settings\Michel\Dati applicazioni\Skype
2007-09-30 12:50 --------- d-----w C:\Programmi\Agfa
2007-09-13 00:01 --------- d-----w C:\Documents and Settings\Michel\Dati applicazioni\dvdcss
2007-04-18 01:50 4,160 ----a-w C:\Documents and Settings\Michel\Dati applicazioni\wklnhst.dat
2005-09-23 21:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
1999-04-16 09:28 158,208 ----a-r C:\WINDOWS\inf\Agfa\Message.exe
2007-04-15 12:21:46 22,502,176 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-15 12:21:46 236,832 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-10_15.50.45.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-19 13:00:00 57,399 ----a-w C:\WINDOWS\ime\imjp8_1\cplexe.exe
+ 2004-08-19 13:00:00 65,591 ----a-w C:\WINDOWS\ime\imjp8_1\cplexe.exe
- 2004-08-19 13:00:00 57,398 ----a-w C:\WINDOWS\ime\imjp8_1\imjpdadm.exe
+ 2004-08-19 13:00:00 65,590 ----a-w C:\WINDOWS\ime\imjp8_1\imjpdadm.exe
- 2004-08-19 13:00:00 44,032 ----a-w C:\WINDOWS\ime\imkr6_1\imekrmig.exe
+ 2004-08-19 13:00:00 50,688 ----a-w C:\WINDOWS\ime\imkr6_1\imekrmig.exe
- 2004-08-19 13:00:00 59,904 ----a-w C:\WINDOWS\ime\imkr6_1\imkrinst.exe
+ 2004-08-19 13:00:00 66,560 ----a-w C:\WINDOWS\ime\imkr6_1\imkrinst.exe
- 2004-08-19 13:00:00 311,359 ----a-w C:\WINDOWS\ime\shared\imepadsv.exe
+ 2004-08-19 13:00:00 319,551 ----a-w C:\WINDOWS\ime\shared\imepadsv.exe
- 2004-08-19 13:00:00 256,512 ----a-w C:\WINDOWS\msagent\agentsvr.exe
+ 2004-08-19 13:00:00 263,168 ----a-w C:\WINDOWS\msagent\agentsvr.exe
- 2004-08-19 13:00:00 768,512 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
+ 2004-08-19 13:00:00 775,168 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
- 2004-08-19 13:00:00 99,840 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helphost.exe
+ 2004-08-19 13:00:00 106,496 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helphost.exe
- 2004-08-19 13:00:00 743,936 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
+ 2004-08-19 13:00:00 750,592 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
- 2004-08-19 13:00:00 18,944 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe
+ 2004-08-19 13:00:00 25,600 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe
- 2004-08-19 13:00:00 160,256 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
+ 2004-08-19 13:00:00 166,912 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
- 2004-08-19 13:00:00 35,328 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\notiflag.exe
+ 2004-08-19 13:00:00 41,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\notiflag.exe
- 2004-08-19 13:00:00 151,040 ----a-w C:\WINDOWS\pchealth\UploadLB\Binaries\uploadm.exe
+ 2004-08-19 13:00:00 157,696 ----a-w C:\WINDOWS\pchealth\UploadLB\Binaries\uploadm.exe
+ 2007-11-11 15:03:51 3,678 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{80F32E6B-ECC7-47AD-9233-D2816DD22B8D}.bin
- 2004-08-19 13:00:00 9,728 ----a-w C:\WINDOWS\system32\Com\comrepl.exe
+ 2004-08-19 13:00:00 16,384 ----a-w C:\WINDOWS\system32\Com\comrepl.exe
- 2004-08-19 13:00:00 5,120 ----a-w C:\WINDOWS\system32\Com\comrereg.exe
+ 2004-08-19 13:00:00 11,776 ----a-w C:\WINDOWS\system32\Com\comrereg.exe
- 2007-11-10 13:40:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-11 13:43:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-10 13:40:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2007-11-11 13:43:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2007-11-10 13:40:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-11 13:43:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-19 13:00:00 61,440 ----a-w C:\WINDOWS\system32\logman.exe
+ 2004-08-19 13:00:00 68,096 ----a-w C:\WINDOWS\system32\logman.exe
- 2004-08-19 13:00:00 15,872 ----a-w C:\WINDOWS\system32\logoff.exe
+ 2004-08-19 13:00:00 22,528 ----a-w C:\WINDOWS\system32\logoff.exe
- 2004-08-19 13:00:00 220,672 ----a-w C:\WINDOWS\system32\logon.scr
+ 2004-08-19 13:00:00 227,328 ----a-w C:\WINDOWS\system32\logon.scr
- 2004-08-19 13:00:00 515,584 ----a-w C:\WINDOWS\system32\logonui.exe
+ 2004-08-19 13:00:00 522,240 ----a-w C:\WINDOWS\system32\logonui.exe
- 2004-08-19 13:00:00 6,144 ----a-w C:\WINDOWS\system32\lpq.exe
+ 2004-08-19 13:00:00 12,800 ----a-w C:\WINDOWS\system32\lpq.exe
- 2004-08-19 13:00:00 8,704 ----a-w C:\WINDOWS\system32\lpr.exe
+ 2004-08-19 13:00:00 15,360 ----a-w C:\WINDOWS\system32\lpr.exe
- 2004-08-19 13:00:00 73,216 ----a-w C:\WINDOWS\system32\magnify.exe
+ 2004-08-19 13:00:00 79,872 ----a-w C:\WINDOWS\system32\magnify.exe
- 2004-08-19 13:00:00 85,504 ----a-w C:\WINDOWS\system32\makecab.exe
+ 2004-08-19 13:00:00 92,160 ----a-w C:\WINDOWS\system32\makecab.exe
- 2004-08-19 13:00:00 52,224 ----a-w C:\WINDOWS\system32\migpwd.exe
+ 2004-08-19 13:00:00 58,880 ----a-w C:\WINDOWS\system32\migpwd.exe
- 2004-08-19 13:00:00 143,872 ----a-w C:\WINDOWS\system32\mobsync.exe
+ 2004-08-19 13:00:00 150,528 ----a-w C:\WINDOWS\system32\mobsync.exe
- 2004-08-19 13:00:00 8,192 ----a-w C:\WINDOWS\system32\mountvol.exe
+ 2004-08-19 13:00:00 14,848 ----a-w C:\WINDOWS\system32\mountvol.exe
- 2004-08-19 13:00:00 124,416 ----a-w C:\WINDOWS\system32\mplay32.exe
+ 2004-08-19 13:00:00 131,072 ----a-w C:\WINDOWS\system32\mplay32.exe
- 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\mpnotify.exe
+ 2004-08-19 13:00:00 28,672 ----a-w C:\WINDOWS\system32\mpnotify.exe
- 2004-08-19 13:00:00 14,336 ----a-w C:\WINDOWS\system32\mrinfo.exe
+ 2004-08-19 13:00:00 20,992 ----a-w C:\WINDOWS\system32\mrinfo.exe
- 2004-08-19 13:00:00 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2004-08-19 13:00:00 35,840 ----a-w C:\WINDOWS\system32\mshta.exe
- 2004-08-19 13:00:00 40,960 ----a-w C:\WINDOWS\system32\msiregmv.exe
+ 2004-08-19 13:00:00 47,616 ----a-w C:\WINDOWS\system32\msiregmv.exe
- 2004-08-19 13:00:00 346,112 ----a-w C:\WINDOWS\system32\mspaint.exe
+ 2004-08-19 13:00:00 352,768 ----a-w C:\WINDOWS\system32\mspaint.exe
- 2004-08-19 13:00:00 6,656 ----a-w C:\WINDOWS\system32\msswchx.exe
+ 2004-08-19 13:00:00 13,312 ----a-w C:\WINDOWS\system32\msswchx.exe
- 2004-08-19 13:00:00 12,288 ----a-w C:\WINDOWS\system32\mstinit.exe
+ 2004-08-19 13:00:00 18,944 ----a-w C:\WINDOWS\system32\mstinit.exe
- 2004-08-19 13:00:00 54,784 ----a-w C:\WINDOWS\system32\narrator.exe
+ 2004-08-19 13:00:00 61,440 ----a-w C:\WINDOWS\system32\narrator.exe
- 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\nbtstat.exe
+ 2004-08-19 13:00:00 28,672 ----a-w C:\WINDOWS\system32\nbtstat.exe
- 2004-08-19 13:00:00 4,096 ----a-w C:\WINDOWS\system32\nddeapir.exe
+ 2004-08-19 13:00:00 10,752 ----a-w C:\WINDOWS\system32\nddeapir.exe
- 2004-08-19 13:00:00 42,496 ----a-w C:\WINDOWS\system32\net.exe
+ 2004-08-19 13:00:00 49,152 ----a-w C:\WINDOWS\system32\net.exe
- 2004-08-19 13:00:00 331,776 ----a-w C:\WINDOWS\system32\netsetup.exe
+ 2004-08-19 13:00:00 338,432 ----a-w C:\WINDOWS\system32\netsetup.exe
- 2004-08-19 13:00:00 87,040 ----a-w C:\WINDOWS\system32\netsh.exe
+ 2004-08-19 13:00:00 93,696 ----a-w C:\WINDOWS\system32\netsh.exe
- 2004-08-19 13:00:00 15,360 ----a-w C:\WINDOWS\system32\npp\nppagent.exe
+ 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\npp\nppagent.exe
- 2004-08-19 13:00:00 79,360 ----a-w C:\WINDOWS\system32\nslookup.exe
+ 2004-08-19 13:00:00 86,016 ----a-w C:\WINDOWS\system32\nslookup.exe
- 2004-08-19 13:00:00 31,744 ----a-w C:\WINDOWS\system32\ntsd.exe
+ 2004-08-19 13:00:00 38,400 ----a-w C:\WINDOWS\system32\ntsd.exe
- 2004-08-19 13:00:00 420,352 ----a-w C:\WINDOWS\system32\ntvdm.exe
+ 2004-08-19 13:00:00 427,008 ----a-w C:\WINDOWS\system32\ntvdm.exe
- 2004-08-19 13:00:00 69,632 ----a-w C:\WINDOWS\system32\odbcconf.exe
+ 2004-08-19 13:00:00 77,824 ----a-w C:\WINDOWS\system32\odbcconf.exe
- 2004-08-19 13:00:00 28,160 ----a-w C:\WINDOWS\system32\oobe\msoobe.exe
+ 2004-08-19 13:00:00 34,816 ----a-w C:\WINDOWS\system32\oobe\msoobe.exe
- 2004-08-19 13:00:00 40,960 ----a-w C:\WINDOWS\system32\osuninst.exe
+ 2004-08-19 13:00:00 47,616 ----a-w C:\WINDOWS\system32\osuninst.exe
- 2004-08-19 13:00:00 58,880 ----a-w C:\WINDOWS\system32\packager.exe
+ 2004-08-19 13:00:00 65,536 ----a-w C:\WINDOWS\system32\packager.exe
- 2004-08-19 13:00:00 22,528 ----a-w C:\WINDOWS\system32\pathping.exe
+ 2004-08-19 13:00:00 29,184 ----a-w C:\WINDOWS\system32\pathping.exe
- 2004-08-19 13:00:00 15,360 ----a-w C:\WINDOWS\system32\pentnt.exe
+ 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\pentnt.exe
- 2007-11-10 13:46:21 63,518 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-10 18:51:29 63,518 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-10 13:46:21 75,586 ----a-w C:\WINDOWS\system32\perfc010.dat
+ 2007-11-10 18:51:29 75,586 ----a-w C:\WINDOWS\system32\perfc010.dat
- 2007-11-10 13:46:21 402,832 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-10 18:51:29 402,832 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-10 13:46:21 449,714 ----a-w C:\WINDOWS\system32\perfh010.dat
+ 2007-11-10 18:51:30 449,714 ----a-w C:\WINDOWS\system32\perfh010.dat
- 2004-08-19 13:00:00 33,792 ----a-w C:\WINDOWS\system32\ping6.exe
+ 2004-08-19 13:00:00 40,448 ----a-w C:\WINDOWS\system32\ping6.exe
- 2004-08-19 13:00:00 49,152 ----a-w C:\WINDOWS\system32\powercfg.exe
+ 2004-08-19 13:00:00 55,808 ----a-w C:\WINDOWS\system32\powercfg.exe
- 2004-08-19 13:00:00 9,216 ----a-w C:\WINDOWS\system32\print.exe
+ 2004-08-19 13:00:00 15,872 ----a-w C:\WINDOWS\system32\print.exe
- 2004-08-19 13:00:00 109,568 ----a-w C:\WINDOWS\system32\progman.exe
+ 2004-08-19 13:00:00 116,224 ----a-w C:\WINDOWS\system32\progman.exe
- 2004-08-19 13:00:00 50,688 ----a-w C:\WINDOWS\system32\proquota.exe
+ 2004-08-19 13:00:00 57,344 ----a-w C:\WINDOWS\system32\proquota.exe
- 2004-08-19 13:00:00 9,728 ----a-w C:\WINDOWS\system32\proxycfg.exe
+ 2004-08-19 13:00:00 16,384 ----a-w C:\WINDOWS\system32\proxycfg.exe
- 2004-08-19 13:00:00 20,480 ----a-w C:\WINDOWS\system32\qprocess.exe
+ 2004-08-19 13:00:00 27,136 ----a-w C:\WINDOWS\system32\qprocess.exe
- 2004-08-19 13:00:00 23,040 ----a-w C:\WINDOWS\system32\qwinsta.exe
+ 2004-08-19 13:00:00 29,696 ----a-w C:\WINDOWS\system32\qwinsta.exe
- 2004-08-19 13:00:00 11,776 ----a-w C:\WINDOWS\system32\rasautou.exe
+ 2004-08-19 13:00:00 18,432 ----a-w C:\WINDOWS\system32\rasautou.exe
- 2004-08-19 13:00:00 57,344 ----a-w C:\WINDOWS\system32\rasphone.exe
+ 2004-08-19 13:00:00 64,000 ----a-w C:\WINDOWS\system32\rasphone.exe
- 2004-08-19 13:00:00 62,464 ----a-w C:\WINDOWS\system32\rdpclip.exe
+ 2004-08-19 13:00:00 69,120 ----a-w C:\WINDOWS\system32\rdpclip.exe
- 2004-08-19 13:00:00 13,824 ----a-w C:\WINDOWS\system32\rdsaddin.exe
+ 2004-08-19 13:00:00 20,480 ----a-w C:\WINDOWS\system32\rdsaddin.exe
- 2004-08-19 13:00:00 67,072 ----a-w C:\WINDOWS\system32\rdshost.exe
+ 2004-08-19 13:00:00 73,728 ----a-w C:\WINDOWS\system32\rdshost.exe
- 2004-08-19 13:00:00 7,168 ----a-w C:\WINDOWS\system32\recover.exe
+ 2004-08-19 13:00:00 13,824 ----a-w C:\WINDOWS\system32\recover.exe
- 2004-08-19 13:00:00 53,248 ----a-w C:\WINDOWS\system32\reg.exe
+ 2004-08-19 13:00:00 59,904 ----a-w C:\WINDOWS\system32\reg.exe
- 2004-08-19 13:00:00 3,584 ----a-w C:\WINDOWS\system32\regedt32.exe
+ 2004-08-19 13:00:00 10,240 ----a-w C:\WINDOWS\system32\regedt32.exe
- 2004-08-19 13:00:00 33,792 ----a-w C:\WINDOWS\system32\regini.exe
+ 2004-08-19 13:00:00 40,448 ----a-w C:\WINDOWS\system32\regini.exe
- 2004-08-19 13:00:00 12,288 ----a-w C:\WINDOWS\system32\regsvr32.exe
+ 2004-08-19 13:00:00 18,944 ----a-w C:\WINDOWS\system32\regsvr32.exe
- 2004-08-19 13:00:00 4,608 ----a-w C:\WINDOWS\system32\regwiz.exe
+ 2004-08-19 13:00:00 11,264 ----a-w C:\WINDOWS\system32\regwiz.exe
- 2004-08-19 13:00:00 12,800 ----a-w C:\WINDOWS\system32\replace.exe
+ 2004-08-19 13:00:00 19,456 ----a-w C:\WINDOWS\system32\replace.exe
- 2004-08-19 13:00:00 9,728 ----a-w C:\WINDOWS\system32\reset.exe
+ 2004-08-19 13:00:00 16,384 ----a-w C:\WINDOWS\system32\reset.exe
- 2004-08-19 13:00:00 384,000 ----a-w C:\WINDOWS\system32\Restore\rstrui.exe
+ 2004-08-19 13:00:00 390,656 ----a-w C:\WINDOWS\system32\Restore\rstrui.exe
- 2004-08-19 13:00:00 47,104 ----a-w C:\WINDOWS\system32\Restore\srdiag.exe
+ 2004-08-19 13:00:00 53,760 ----a-w C:\WINDOWS\system32\Restore\srdiag.exe
- 2004-08-19 13:00:00 14,848 ----a-w C:\WINDOWS\system32\rexec.exe
+ 2004-08-19 13:00:00 21,504 ----a-w C:\WINDOWS\system32\rexec.exe
- 2004-08-19 13:00:00 20,992 ----a-w C:\WINDOWS\system32\route.exe
+ 2004-08-19 13:00:00 27,648 ----a-w C:\WINDOWS\system32\route.exe
- 2004-08-19 13:00:00 25,600 ----a-w C:\WINDOWS\system32\routemon.exe
+ 2004-08-19 13:00:00 32,256 ----a-w C:\WINDOWS\system32\routemon.exe
- 2004-08-19 13:00:00 15,872 ----a-w C:\WINDOWS\system32\rsh.exe
+ 2004-08-19 13:00:00 22,528 ----a-w C:\WINDOWS\system32\rsh.exe
- 2004-08-19 13:00:00 52,736 ----a-w C:\WINDOWS\system32\rsm.exe
+ 2004-08-19 13:00:00 59,392 ----a-w C:\WINDOWS\system32\rsm.exe
- 2004-08-19 13:00:00 24,576 ----a-w C:\WINDOWS\system32\rsmsink.exe
+ 2004-08-19 13:00:00 31,232 ----a-w C:\WINDOWS\system32\rsmsink.exe
- 2004-08-19 13:00:00 16,896 ----a-w C:\WINDOWS\system32\runas.exe
+ 2004-08-19 13:00:00 23,552 ----a-w C:\WINDOWS\system32\runas.exe
- 2004-08-19 13:00:00 14,336 ----a-w C:\WINDOWS\system32\runonce.exe
+ 2004-08-19 13:00:00 20,992 ----a-w C:\WINDOWS\system32\runonce.exe
- 2004-08-19 13:00:00 16,384 ----a-w C:\WINDOWS\system32\rwinsta.exe
+ 2004-08-19 13:00:00 23,040 ----a-w C:\WINDOWS\system32\rwinsta.exe
- 2004-08-19 13:00:00 13,824 ----a-w C:\WINDOWS\system32\savedump.exe
+ 2004-08-19 13:00:00 20,480 ----a-w C:\WINDOWS\system32\savedump.exe
- 2004-08-19 13:00:00 31,232 ----a-w C:\WINDOWS\system32\sc.exe
+ 2004-08-19 13:00:00 37,888 ----a-w C:\WINDOWS\system32\sc.exe
- 2004-08-19 13:00:00 78,336 ----a-w C:\WINDOWS\system32\sdbinst.exe
+ 2004-08-19 13:00:00 84,992 ----a-w C:\WINDOWS\system32\sdbinst.exe
- 2004-08-19 13:00:00 32,768 ----a-w C:\WINDOWS\system32\sethc.exe
+ 2004-08-19 13:00:00 39,424 ----a-w C:\WINDOWS\system32\sethc.exe
- 2004-08-19 13:00:00 23,040 ----a-w C:\WINDOWS\system32\setup.exe
+ 2004-08-19 13:00:00 29,696 ----a-w C:\WINDOWS\system32\setup.exe
- 2004-08-19 13:00:00 10,240 ----a-w C:\WINDOWS\system32\sfc.exe
+ 2004-08-19 13:00:00 16,896 ----a-w C:\WINDOWS\system32\sfc.exe
- 2004-08-19 13:00:00 15,360 ----a-w C:\WINDOWS\system32\shadow.exe
+ 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\shadow.exe
- 2004-08-19 13:00:00 42,496 ----a-w C:\WINDOWS\system32\shmgrate.exe
+ 2004-08-19 13:00:00 49,152 ----a-w C:\WINDOWS\system32\shmgrate.exe
- 2004-08-19 13:00:00 78,336 ----a-w C:\WINDOWS\system32\shrpubw.exe
+ 2004-08-19 13:00:00 84,992 ----a-w C:\WINDOWS\system32\shrpubw.exe
- 2004-08-19 13:00:00 19,968 ----a-w C:\WINDOWS\system32\shutdown.exe
+ 2004-08-19 13:00:00 26,624 ----a-w C:\WINDOWS\system32\shutdown.exe
- 2004-08-19 13:00:00 70,656 ----a-w C:\WINDOWS\system32\sigverif.exe
+ 2004-08-19 13:00:00 77,312 ----a-w C:\WINDOWS\system32\sigverif.exe
- 2004-08-19 13:00:00 26,112 ----a-w C:\WINDOWS\system32\skeys.exe
+ 2004-08-19 13:00:00 32,768 ----a-w C:\WINDOWS\system32\skeys.exe
- 2004-08-19 13:00:00 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
+ 2004-08-19 13:00:00 14,848 ----a-w C:\WINDOWS\system32\smbinst.exe
- 2004-08-19 13:00:00 132,608 ----a-w C:\WINDOWS\system32\sndrec32.exe
+ 2004-08-19 13:00:00 139,264 ----a-w C:\WINDOWS\system32\sndrec32.exe
- 2004-08-19 13:00:00 25,088 ----a-w C:\WINDOWS\system32\sort.exe
+ 2004-08-19 13:00:00 31,744 ----a-w C:\WINDOWS\system32\sort.exe
- 2004-08-19 13:00:00 539,136 ----a-w C:\WINDOWS\system32\spider.exe
+ 2004-08-19 13:00:00 545,792 ----a-w C:\WINDOWS\system32\spider.exe
- 2004-08-19 13:00:00 11,776 ----a-w C:\WINDOWS\system32\spnpinst.exe
+ 2004-08-19 13:00:00 18,432 ----a-w C:\WINDOWS\system32\spnpinst.exe
- 2004-08-19 13:00:00 19,968 ----a-w C:\WINDOWS\system32\ssbezier.scr
+ 2004-08-19 13:00:00 26,624 ----a-w C:\WINDOWS\system32\ssbezier.scr
- 2004-08-19 13:00:00 393,216 ----a-w C:\WINDOWS\system32\ssflwbox.scr
+ 2004-08-19 13:00:00 401,408 ----a-w C:\WINDOWS\system32\ssflwbox.scr
- 2004-08-19 13:00:00 20,992 ----a-w C:\WINDOWS\system32\ssmarque.scr
+ 2004-08-19 13:00:00 27,648 ----a-w C:\WINDOWS\system32\ssmarque.scr
- 2004-08-19 13:00:00 47,104 ----a-w C:\WINDOWS\system32\ssmypics.scr
+ 2004-08-19 13:00:00 53,760 ----a-w C:\WINDOWS\system32\ssmypics.scr
- 2004-08-19 13:00:00 18,944 ----a-w C:\WINDOWS\system32\ssmyst.scr
+ 2004-08-19 13:00:00 25,600 ----a-w C:\WINDOWS\system32\ssmyst.scr
- 2004-08-19 13:00:00 684,032 ----a-w C:\WINDOWS\system32\sstext3d.scr
+ 2004-08-19 13:00:00 692,224 ----a-w C:\WINDOWS\system32\sstext3d.scr
- 2004-08-19 13:00:00 14,848 ----a-w C:\WINDOWS\system32\stimon.exe
+ 2004-08-19 13:00:00 21,504 ----a-w C:\WINDOWS\system32\stimon.exe
- 2004-08-19 13:00:00 9,216 ----a-w C:\WINDOWS\system32\subst.exe
+ 2004-08-19 13:00:00 15,872 ----a-w C:\WINDOWS\system32\subst.exe
- 2006-11-29 16:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 16:21:29 377,344 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 04:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 04:20:32 219,136 ----a-w C:\WINDOWS\system32\swxcacls.exe
- 2004-08-19 13:00:00 51,200 ----a-w C:\WINDOWS\system32\syncapp.exe
+ 2004-08-19 13:00:00 57,856 ----a-w C:\WINDOWS\system32\syncapp.exe
- 2004-08-19 13:00:00 37,376 ----a-w C:\WINDOWS\system32\syskey.exe
+ 2004-08-19 13:00:00 44,032 ----a-w C:\WINDOWS\system32\syskey.exe
- 2004-08-19 13:00:00 3,072 ----a-w C:\WINDOWS\system32\systray.exe
+ 2004-08-19 13:00:00 9,728 ----a-w C:\WINDOWS\system32\systray.exe
- 2004-08-19 13:00:00 15,360 ----a-w C:\WINDOWS\system32\taskman.exe
+ 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\taskman.exe
- 2004-08-19 13:00:00 139,264 ----a-w C:\WINDOWS\system32\taskmgr.exe
+ 2004-08-19 13:00:00 145,920 ----a-w C:\WINDOWS\system32\taskmgr.exe
- 2004-08-19 13:00:00 12,800 ----a-w C:\WINDOWS\system32\tcmsetup.exe
+ 2004-08-19 13:00:00 19,456 ----a-w C:\WINDOWS\system32\tcmsetup.exe
- 2004-08-19 13:00:00 19,456 ----a-w C:\WINDOWS\system32\tcpsvcs.exe
+ 2004-08-19 13:00:00 26,112 ----a-w C:\WINDOWS\system32\tcpsvcs.exe
- 2004-08-19 13:00:00 17,408 ----a-w C:\WINDOWS\system32\tftp.exe
+ 2004-08-19 13:00:00 24,064 ----a-w C:\WINDOWS\system32\tftp.exe
- 2004-08-19 13:00:00 347,136 ----a-w C:\WINDOWS\system32\tourstart.exe
+ 2004-08-19 13:00:00 353,792 ----a-w C:\WINDOWS\system32\tourstart.exe
- 2004-08-19 13:00:00 32,256 ----a-w C:\WINDOWS\system32\tracert6.exe
+ 2004-08-19 13:00:00 38,912 ----a-w C:\WINDOWS\system32\tracert6.exe
- 2004-08-19 13:00:00 15,360 ----a-w C:\WINDOWS\system32\tscon.exe
+ 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\tscon.exe
- 2004-08-19 13:00:00 44,544 ----a-w C:\WINDOWS\system32\tscupgrd.exe
+ 2004-08-19 13:00:00 51,200 ----a-w C:\WINDOWS\system32\tscupgrd.exe
- 2004-08-19 13:00:00 15,360 ----a-w C:\WINDOWS\system32\tsdiscon.exe
+ 2004-08-19 13:00:00 22,016 ----a-w C:\WINDOWS\system32\tsdiscon.exe
- 2004-08-19 13:00:00 16,384 ----a-w C:\WINDOWS\system32\tskill.exe
+ 2004-08-19 13:00:00 23,040 ----a-w C:\WINDOWS\system32\tskill.exe
- 2004-08-19 13:00:00 4,096 ----a-w C:\WINDOWS\system32\unlodctr.exe
+ 2004-08-19 13:00:00 10,752 ----a-w C:\WINDOWS\system32\unlodctr.exe
- 2004-08-19 13:00:00 104,448 ----a-w C:\WINDOWS\system32\usmt\migload.exe
+ 2004-08-19 13:00:00 111,104 ----a-w C:\WINDOWS\system32\usmt\migload.exe
- 2004-08-19 13:00:00 242,688 ----a-w C:\WINDOWS\system32\usmt\migwiz.exe
+ 2004-08-19 13:00:00 249,344 ----a-w C:\WINDOWS\system32\usmt\migwiz.exe
- 2004-08-19 13:00:00 77,891 ----a-w C:\WINDOWS\system32\usrmlnka.exe
+ 2004-08-19 13:00:00 86,083 ----a-w C:\WINDOWS\system32\usrmlnka.exe
- 2004-08-19 13:00:00 61,508 ----a-w C:\WINDOWS\system32\usrprbda.exe
+ 2004-08-19 13:00:00 69,700 ----a-w C:\WINDOWS\system32\usrprbda.exe
- 2004-08-19 13:00:00 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
+ 2004-08-19 13:00:00 56,832 ----a-w C:\WINDOWS\system32\utilman.exe
- 2006-11-27 01:34:46 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2006-11-27 01:34:46 60,996 ----a-w C:\WINDOWS\system32\VFind.exe
- 2004-08-19 13:00:00 52,224 ----a-w C:\WINDOWS\system32\w32tm.exe
+ 2004-08-19 13:00:00 58,880 ----a-w C:\WINDOWS\system32\w32tm.exe
- 2004-08-19 13:00:00 16,896 ----a-w C:\WINDOWS\system32\wbem\mofcomp.exe
+ 2004-08-19 13:00:00 23,552 ----a-w C:\WINDOWS\system32\wbem\mofcomp.exe
- 2004-08-19 13:00:00 36,864 ----a-w C:\WINDOWS\system32\wbem\scrcons.exe
+ 2004-08-19 13:00:00 43,520 ----a-w C:\WINDOWS\system32\wbem\scrcons.exe
- 2004-08-19 13:00:00 16,896 ----a-w C:\WINDOWS\system32\wbem\unsecapp.exe
+ 2004-08-19 13:00:00 23,552 ----a-w C:\WINDOWS\system32\wbem\unsecapp.exe
- 2004-08-19 13:00:00 118,272 ----a-w C:\WINDOWS\system32\wbem\wbemtest.exe
+ 2004-08-19 13:00:00 124,928 ----a-w C:\WINDOWS\system32\wbem\wbemtest.exe
- 2004-08-19 13:00:00 13,824 ----a-w C:\WINDOWS\system32\wbem\winmgmt.exe
+ 2004-08-19 13:00:00 20,480 ----a-w C:\WINDOWS\system32\wbem\winmgmt.exe
- 2004-08-19 13:00:00 196,608 ----a-w C:\WINDOWS\system32\wbem\wmiadap.exe
+ 2004-08-19 13:00:00 203,264 ----a-w C:\WINDOWS\system32\wbem\wmiadap.exe
- 2004-08-19 13:00:00 435,712 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
+ 2004-08-19 13:00:00 442,368 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
- 2004-08-19 13:00:00 8,192 ----a-w C:\WINDOWS\system32\winhlp32.exe
+ 2004-08-19 13:00:00 14,848 ----a-w C:\WINDOWS\system32\winhlp32.exe
- 2004-08-19 13:00:00 108,032 ----a-w C:\WINDOWS\system32\winmine.exe
+ 2004-08-19 13:00:00 117,760 ----a-w C:\WINDOWS\system32\winmine.exe
- 2004-08-19 13:00:00 5,632 ----a-w C:\WINDOWS\system32\winver.exe
+ 2004-08-19 13:00:00 12,288 ----a-w C:\WINDOWS\system32\winver.exe
- 2004-08-19 13:00:00 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
+ 2004-08-19 13:00:00 38,912 ----a-w C:\WINDOWS\system32\wpabaln.exe
- 2004-08-19 13:00:00 32,768 ----a-w C:\WINDOWS\system32\wpnpinst.exe
+ 2004-08-19 13:00:00 39,424 ----a-w C:\WINDOWS\system32\wpnpinst.exe
- 2004-08-19 13:00:00 5,632 ----a-w C:\WINDOWS\system32\write.exe
+ 2004-08-19 13:00:00 12,288 ----a-w C:\WINDOWS\system32\write.exe
- 2004-08-19 13:00:00 36,864 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-30 18:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
- 2005-05-26 01:16:30 18,200 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2007-07-30 18:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
- 2004-08-19 13:00:00 30,720 ----a-w C:\WINDOWS\system32\xcopy.exe
+ 2004-08-19 13:00:00 37,376 ----a-w C:\WINDOWS\system32\xcopy.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-27 21:05]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 21:50]
"hpWirelessAssistant"="C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 10:59]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 13:54]
"Cpqset"="C:\Programmi\HPQ\Default Settings\cpqset.exe" [2005-08-01 14:26]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-11-15 12:50]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 11:48]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 17:40]
"CnxDslTaskBar"="C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe" [2004-08-02 12:17]
"OSSelectorReinstall"="C:\Programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 18:53]
"TrueImageMonitor.exe"="C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-16 17:45]
"AcronisTimounterMonitor"="C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-16 17:57]
"Acronis Scheduler2 Service"="C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2007-02-16 17:49]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2006-06-14 15:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Programmi\PeerGuardian2\pg2.exe" [2005-09-18 17:40]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Avvio rapido HP Photosmart Premier.lnk - C:\Programmi\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-23 23:39:30]
HP Digital Imaging Monitor.lnk - C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe [2005-09-23 22:28:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
"VoipStunt"="C:\Programmi\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
"Windows Registry Repair Pro"=C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" -atboottime
"AutoTBar"=C:\Documents and Settings\Default User\Menu Avvio\Programmi\Esecuzione automatica\AutoTBar.exe
"HP Software Update"=C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"H2O"=C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
R3 KeyScrambler;KeyScrambler;\??\C:\WINDOWS\system32\drivers\keyscrambler.sys
R3 pgfilter;pgfilter;\??\C:\Programmi\PeerGuardian2\pgfilter.sys
S3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys
S3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys

.
Contenuto della cartella 'Scheduled Tasks'
"2007-11-11 16:00:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 17:00:31
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programmi\HPQ\Default Settings\cpqset.exe????????????T&?|(??|???|?? ???B?????????????hLC????????

Scansione files nascosti ...

**************************************************************************
.
Ora fine scansione: 2007-11-11 17.01.47
C:\ComboFix2.txt ... 2007-11-10 20:16
C:\ComboFix3.txt ... 2007-11-10 15:51
.
--- E O F ---


hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.16.38, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\PeerGuardian2\pg2.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\Programmi\BillP Studios\WinPatrol\WinPatrol.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio rapido HP Photosmart Premier.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hp\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Programmi\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay11...es/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEAD73A8-A740-46B0-A53E-AEC7698DBEA4}: NameServer = 213.205.32.70 213.205.36.70
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Gestione sessione di assistenza mediante desktop remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe

--
End of file - 7788 bytes

thanks JSntgRvr

[JSntgRvr]

Hi, tha dj

I don't like what I see. I will need to consult with my colleagues. I'll post once a complete analysis of this outcome is completed.

Thanks.

[tha dj]

Thanks JSntgRvr,

sorry to bother you so much with this nasty infection hope we'll find a way out.
thanks again for your help

[JSntgRvr]

Hi, tha dj

I still waiting for some feedback.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[tha dj]

HI JSntgRvr, I'm gonna do the kaspersky scan, but before I wanted you to know that I did some scans with spybot and avg antivirus. spybot detected and deleted
- 22ndStreetComputers.PS3_fraud
- Win32.Delf.uc

about Avg I couldn't save a log so I took a snapshot:

I couldn't use avg antispyware because I think something on the computer is blocking it.. it erased engine.dll or other stuff from avg. and also avgcc.exe, the control center has been erased. uff...

now I'm doing the scan with kapersky, hope it'll help.

thanks.

Edited by tha dj, 12 November 2007 - 05:43 PM.

[JSntgRvr]

Hi, tha dj

Will wait for the kaspersky scan report.

[tha dj]

Hi JSntgRvr, as you know I can't open .txt files so I give you a link to the kaspersky log. it has found a lot of stuff.. are all of them really infected?
take a look and let's see what we can do..

http://rapidshare.com/users/QJQ7YE

[JSntgRvr]

Hi, tha dj

That looks like impossible to clean. Most of your system files are infected. Let try Dr Web Cureit:

Click here to download Dr.Web CureIt and save it to your desktop.

• Doubleclick the drweb-cureit.exe file and allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log (If possible)).