I think you drag the old CFscript to the combofix. Can you try it again, but use the CFscript from my last instruction.
Win XP SP2 won't boot
Started by
iggyboy
, Jan 08 2011 02:01 PM
#31
Posted 14 January 2011 - 09:08 AM
I think you drag the old CFscript to the combofix. Can you try it again, but use the CFscript from my last instruction.
#32
Posted 14 January 2011 - 09:09 AM
Hi iggyboy,
I think you drag the old CFscript to the combofix. Can you try it again, but use the CFscript from my latest instruction.
I think you drag the old CFscript to the combofix. Can you try it again, but use the CFscript from my latest instruction.
#33
Posted 14 January 2011 - 09:32 AM
I don't know what happened.Now I charged the following:
KillAll::
RenV::
c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe
c:\programmi\Skype\Phone\Skype .exe
MBR::
File::
Folder::
Registry::
Driver::
Rootkit::
The answer is (translated) "orthographically incorrect"
KillAll::
RenV::
c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe
c:\programmi\Skype\Phone\Skype .exe
MBR::
File::
Folder::
Registry::
Driver::
Rootkit::
The answer is (translated) "orthographically incorrect"
#34
Posted 14 January 2011 - 09:38 AM
Can you try this one.
KillAll:: RenV:: c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\Skype\Phone\Skype .exe MBR:: File:: Folder:: Registry:: Driver::
#35
Posted 14 January 2011 - 10:30 AM
ComboFix 11-01-08.05 - Iggy 14/01/2011 17.14.03.13.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2039.1666 [GMT 1:00]
Eseguito da: c:\documents and settings\Iggy\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Iggy\Desktop\CFScript2.txt
.
/wow section - STAGE 50
Impossibile trovare il percorso specificato.
((((((((((((((((((((((((( Files Creati Da 2010-12-14 al 2011-01-14 )))))))))))))))))))))))))))))))))))
.
2011-01-14 11:47 . 2011-01-14 11:47 -------- d-----w- C:\RecoveryCD
2011-01-12 14:56 . 2011-01-12 14:56 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-12 12:14 . 2004-08-03 22:14 359040 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2011-01-12 12:14 . 2004-08-03 22:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-01-10 12:23 . 2011-01-10 12:33 -------- d-----w- c:\documents and settings\Iggy\Impostazioni locali\Dati applicazioni\Promosoft Corporation
2011-01-10 11:47 . 2011-01-10 11:47 -------- d-----w- c:\programmi\Trend Micro
2011-01-08 20:42 . 2011-01-08 20:42 -------- d-----w- c:\programmi\Pc Optimizer 360
2011-01-05 17:42 . 2004-08-19 08:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-01-05 17:42 . 2004-08-19 08:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-01-05 15:58 . 2011-01-08 21:06 -------- d-----w- c:\programmi\CCleaner
2011-01-04 22:07 . 2004-08-19 14:39 1034752 ----a-w- c:\windows\explorer.exe
2011-01-03 18:10 . 2011-01-03 18:10 -------- d-----w- C:\Venus11
2011-01-01 18:26 . 2011-01-01 18:26 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 15:29 . 2010-12-27 15:29 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Identities
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- C:\sh4ldr
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- c:\programmi\Enigma Software Group
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-25 17:41 . 2010-12-25 22:37 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-25 16:47 . 2010-12-25 19:44 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2010-12-25 16:47 . 2010-12-25 17:38 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2010-12-24 15:48 . 2010-12-24 15:48 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-23 09:27 . 2010-12-23 09:27 -------- d-----w- c:\programmi\Admiresoft
2010-12-22 18:50 . 2010-12-22 18:51 -------- d-----w- C:\Bilan11
2010-12-17 11:29 . 2010-12-17 11:30 -------- d-----w- c:\programmi\Hide IP NG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 15:20 . 2009-07-26 10:49 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-12-08 15:36 . 2010-12-08 15:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-08 15:36 . 2010-05-04 09:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 16:20 . 2010-10-17 16:20 40960 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{2DA701B1-5597-44BA-BA96-ED6A737CCA57}\NewShortcut1_9873BD74E565483399E18668472BEA7F.exe
1998-02-10 16:34 . 2009-07-29 14:11 128000 ----a-w- c:\programmi\UNWISE.EXE
.
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-01-05_16.16.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-31 12:00 . 2011-01-05 16:06 91988 c:\windows\system32\perfc010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 91988 c:\windows\system32\perfc010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 76978 c:\windows\system32\perfc009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 76978 c:\windows\system32\perfc009.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 508156 c:\windows\system32\perfh010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 508156 c:\windows\system32\perfh010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 459256 c:\windows\system32\perfh009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 459256 c:\windows\system32\perfh009.dat
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\system32\dllcache\regedit.exe
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\regedit.exe
- 2004-08-19 13:39 . 2004-08-19 13:39 151552 c:\windows\regedit.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ .exe" [N/A]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmi\real\realplayer\update\realsched.exe" [2010-11-18 274608]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-09 150040]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-09 150040]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-09 178712]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ISUSPM"="c:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]
LG SyncManager.lnk - c:\h7??\LGSyncManager.exe [N/A]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 04:03 74752 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
c:\progra~1\ALWILS~1\Avast5\avastUI.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\FlashGet\\FlashGet.exe"=
"c:\\Programmi\\Motorola\\RSD Lite\\SDL.exe"=
"c:\\Programmi\\Motorola\\Software Update\\msu.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Programmi\\Port Forwarding Wizard\\bin\\Port Forwarding Wizard.exe"=
"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 gupdate1ca0e044ffa000;Servizio di Google Update (gupdate1ca0e044ffa000);c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 133104]
R2 MotoConnect Service;MotoConnect Service;c:\programmi\Motorola\MotoConnectService\MotoConnectService.exe [2010-01-27 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 30008]
R3 esgiguard;esgiguard; [x]
R3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2006-10-18 33024]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programmi\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1\RpcAgentSrv.exe [2008-11-03 98488]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2008-01-10 44160]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (02);c:\windows\system32\DRIVERS\SWNC8U02.sys [2008-01-31 165248]
R3 SWUMX02;HP hs2300 USB MUX Driver (02);c:\windows\system32\DRIVERS\swumx02.sys [2008-01-31 142976]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 GhPciScan;GhostPciScanner;c:\programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-05-28 5632]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-07-24 38816]
S1 RsvLock;RsvLock; [x]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-24 41216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contenuto della cartella 'Scheduled Tasks'
2011-01-14 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 16:12]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
2010-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: &Scarica con FlashGet - c:\programmi\FlashGet\jc_link.htm
IE: &Scarica tutto con FlashGet - c:\programmi\FlashGet\jc_all.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
DPF: {2C546582-48CE-4890-9C88-B2665B125E15} - hxxp://www.registrywinner.com/RWOnline.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 17:26
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(428)
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'explorer.exe'(3208)
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\IFXTCS.exe
c:\programmi\Ahead\InCD\InCDsrv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IfxPsdSv.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\programmi\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTServs.exe
.
**************************************************************************
.
Ora fine scansione: 2011-01-14 17:27:14 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2011-01-14 16:27
ComboFix2.txt 2011-01-14 14:42
ComboFix3.txt 2011-01-13 11:56
ComboFix4.txt 2011-01-12 14:26
ComboFix5.txt 2011-01-14 15:22
Pre-Run: 182.398.976 byte disponibili
Post-Run: 147.025.920 byte disponibili
- - End Of File - - FD362C2C691445E1D7CAA558CB9A1BDD
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2039.1666 [GMT 1:00]
Eseguito da: c:\documents and settings\Iggy\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Iggy\Desktop\CFScript2.txt
.
/wow section - STAGE 50
Impossibile trovare il percorso specificato.
((((((((((((((((((((((((( Files Creati Da 2010-12-14 al 2011-01-14 )))))))))))))))))))))))))))))))))))
.
2011-01-14 11:47 . 2011-01-14 11:47 -------- d-----w- C:\RecoveryCD
2011-01-12 14:56 . 2011-01-12 14:56 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-12 12:14 . 2004-08-03 22:14 359040 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2011-01-12 12:14 . 2004-08-03 22:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-01-10 12:23 . 2011-01-10 12:33 -------- d-----w- c:\documents and settings\Iggy\Impostazioni locali\Dati applicazioni\Promosoft Corporation
2011-01-10 11:47 . 2011-01-10 11:47 -------- d-----w- c:\programmi\Trend Micro
2011-01-08 20:42 . 2011-01-08 20:42 -------- d-----w- c:\programmi\Pc Optimizer 360
2011-01-05 17:42 . 2004-08-19 08:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-01-05 17:42 . 2004-08-19 08:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-01-05 15:58 . 2011-01-08 21:06 -------- d-----w- c:\programmi\CCleaner
2011-01-04 22:07 . 2004-08-19 14:39 1034752 ----a-w- c:\windows\explorer.exe
2011-01-03 18:10 . 2011-01-03 18:10 -------- d-----w- C:\Venus11
2011-01-01 18:26 . 2011-01-01 18:26 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 15:29 . 2010-12-27 15:29 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Identities
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- C:\sh4ldr
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- c:\programmi\Enigma Software Group
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-25 17:41 . 2010-12-25 22:37 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-25 16:47 . 2010-12-25 19:44 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2010-12-25 16:47 . 2010-12-25 17:38 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2010-12-24 15:48 . 2010-12-24 15:48 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-23 09:27 . 2010-12-23 09:27 -------- d-----w- c:\programmi\Admiresoft
2010-12-22 18:50 . 2010-12-22 18:51 -------- d-----w- C:\Bilan11
2010-12-17 11:29 . 2010-12-17 11:30 -------- d-----w- c:\programmi\Hide IP NG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 15:20 . 2009-07-26 10:49 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-12-08 15:36 . 2010-12-08 15:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-08 15:36 . 2010-05-04 09:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 16:20 . 2010-10-17 16:20 40960 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{2DA701B1-5597-44BA-BA96-ED6A737CCA57}\NewShortcut1_9873BD74E565483399E18668472BEA7F.exe
1998-02-10 16:34 . 2009-07-29 14:11 128000 ----a-w- c:\programmi\UNWISE.EXE
.
<pre> c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\Skype\Phone\Skype .exe </pre>
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-01-05_16.16.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-31 12:00 . 2011-01-05 16:06 91988 c:\windows\system32\perfc010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 91988 c:\windows\system32\perfc010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 76978 c:\windows\system32\perfc009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 76978 c:\windows\system32\perfc009.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 508156 c:\windows\system32\perfh010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 508156 c:\windows\system32\perfh010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 459256 c:\windows\system32\perfh009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 459256 c:\windows\system32\perfh009.dat
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\system32\dllcache\regedit.exe
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\regedit.exe
- 2004-08-19 13:39 . 2004-08-19 13:39 151552 c:\windows\regedit.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ .exe" [N/A]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmi\real\realplayer\update\realsched.exe" [2010-11-18 274608]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-09 150040]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-09 150040]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-09 178712]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ISUSPM"="c:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]
LG SyncManager.lnk - c:\h7??\LGSyncManager.exe [N/A]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 04:03 74752 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
c:\progra~1\ALWILS~1\Avast5\avastUI.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\FlashGet\\FlashGet.exe"=
"c:\\Programmi\\Motorola\\RSD Lite\\SDL.exe"=
"c:\\Programmi\\Motorola\\Software Update\\msu.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Programmi\\Port Forwarding Wizard\\bin\\Port Forwarding Wizard.exe"=
"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 gupdate1ca0e044ffa000;Servizio di Google Update (gupdate1ca0e044ffa000);c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 133104]
R2 MotoConnect Service;MotoConnect Service;c:\programmi\Motorola\MotoConnectService\MotoConnectService.exe [2010-01-27 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 30008]
R3 esgiguard;esgiguard; [x]
R3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2006-10-18 33024]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programmi\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1\RpcAgentSrv.exe [2008-11-03 98488]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2008-01-10 44160]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (02);c:\windows\system32\DRIVERS\SWNC8U02.sys [2008-01-31 165248]
R3 SWUMX02;HP hs2300 USB MUX Driver (02);c:\windows\system32\DRIVERS\swumx02.sys [2008-01-31 142976]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 GhPciScan;GhostPciScanner;c:\programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-05-28 5632]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-07-24 38816]
S1 RsvLock;RsvLock; [x]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-24 41216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contenuto della cartella 'Scheduled Tasks'
2011-01-14 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 16:12]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
2010-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: &Scarica con FlashGet - c:\programmi\FlashGet\jc_link.htm
IE: &Scarica tutto con FlashGet - c:\programmi\FlashGet\jc_all.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
DPF: {2C546582-48CE-4890-9C88-B2665B125E15} - hxxp://www.registrywinner.com/RWOnline.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 17:26
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(428)
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'explorer.exe'(3208)
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\IFXTCS.exe
c:\programmi\Ahead\InCD\InCDsrv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IfxPsdSv.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\programmi\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTServs.exe
.
**************************************************************************
.
Ora fine scansione: 2011-01-14 17:27:14 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2011-01-14 16:27
ComboFix2.txt 2011-01-14 14:42
ComboFix3.txt 2011-01-13 11:56
ComboFix4.txt 2011-01-12 14:26
ComboFix5.txt 2011-01-14 15:22
Pre-Run: 182.398.976 byte disponibili
Post-Run: 147.025.920 byte disponibili
- - End Of File - - FD362C2C691445E1D7CAA558CB9A1BDD
#36
Posted 14 January 2011 - 07:05 PM
Run MBRCheck again and post the logs in your next reply.
#37
Posted 15 January 2011 - 02:13 AM
Hi Salagubang! Finally I could restore the normal booting.Remembering the SATA drivers problems with XP,I disabled hative drivers and with the Recovery Console,the HDD was seen and I could fixmbr.Then enabled again native drivers and all OK!
But I spent a lot of time with the Error 1075 "The dependency service does not exist or has been marked for deletion" without results,so I cannot connect.The only way not experienced yet is Here .What can you suggest? I'm going away for the day,so I can't give you immediate feedbacks.
But I spent a lot of time with the Error 1075 "The dependency service does not exist or has been marked for deletion" without results,so I cannot connect.The only way not experienced yet is Here .What can you suggest? I'm going away for the day,so I can't give you immediate feedbacks.
#38
Posted 15 January 2011 - 02:21 AM
Thats wonderful news.
Now all I need to do is rid that computer of Vundo and we're set fixing that internet.
Could you re-run Combofix again with the last CFScript.txt (it was named CFscript2 so you might need to rename it to CFscript)
Now all I need to do is rid that computer of Vundo and we're set fixing that internet.
Could you re-run Combofix again with the last CFScript.txt (it was named CFscript2 so you might need to rename it to CFscript)
Edited by Salagubang, 15 January 2011 - 02:21 AM.
#39
Posted 15 January 2011 - 12:16 PM
Hi Salagubang!
Here is the log.
ComboFix 11-01-14.01 - Iggy 15/01/2011 18.57.52.17.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2039.1668 [GMT 1:00]
Eseguito da: c:\documents and settings\Iggy\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Iggy\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\config\systemprofile\Dati applicazioni\download2
.
((((((((((((((((((((((((( Files Creati Da 2010-12-15 al 2011-01-15 )))))))))))))))))))))))))))))))))))
.
2011-01-14 11:47 . 2011-01-14 11:47 -------- d-----w- C:\RecoveryCD
2011-01-12 14:56 . 2011-01-12 14:56 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-12 12:14 . 2004-08-03 22:14 359040 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2011-01-12 12:14 . 2004-08-03 22:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-01-10 12:23 . 2011-01-10 12:33 -------- d-----w- c:\documents and settings\Iggy\Impostazioni locali\Dati applicazioni\Promosoft Corporation
2011-01-10 11:47 . 2011-01-10 11:47 -------- d-----w- c:\programmi\Trend Micro
2011-01-08 20:42 . 2011-01-08 20:42 -------- d-----w- c:\programmi\Pc Optimizer 360
2011-01-05 17:42 . 2004-08-19 08:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-01-05 17:42 . 2004-08-19 08:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-01-05 15:58 . 2011-01-08 21:06 -------- d-----w- c:\programmi\CCleaner
2011-01-04 22:07 . 2004-08-19 14:39 1034752 ----a-w- c:\windows\explorer.exe
2011-01-03 18:10 . 2011-01-03 18:10 -------- d-----w- C:\Venus11
2011-01-01 18:26 . 2011-01-01 18:26 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 15:29 . 2010-12-27 15:29 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Identities
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- C:\sh4ldr
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- c:\programmi\Enigma Software Group
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-25 17:41 . 2010-12-25 22:37 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-25 16:47 . 2010-12-25 19:44 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2010-12-25 16:47 . 2010-12-25 17:38 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2010-12-24 15:48 . 2010-12-24 15:48 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-23 09:27 . 2010-12-23 09:27 -------- d-----w- c:\programmi\Admiresoft
2010-12-22 18:50 . 2010-12-22 18:51 -------- d-----w- C:\Bilan11
2010-12-17 11:29 . 2010-12-17 11:30 -------- d-----w- c:\programmi\Hide IP NG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 15:20 . 2009-07-26 10:49 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-12-08 15:36 . 2010-12-08 15:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-08 15:36 . 2010-05-04 09:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
1998-02-10 16:34 . 2009-07-29 14:11 128000 ----a-w- c:\programmi\UNWISE.EXE
.
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-01-05_16.16.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-31 12:00 . 2011-01-05 16:06 91988 c:\windows\system32\perfc010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 91988 c:\windows\system32\perfc010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 76978 c:\windows\system32\perfc009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 76978 c:\windows\system32\perfc009.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 508156 c:\windows\system32\perfh010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 508156 c:\windows\system32\perfh010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 459256 c:\windows\system32\perfh009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 459256 c:\windows\system32\perfh009.dat
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\system32\dllcache\regedit.exe
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\regedit.exe
- 2004-08-19 13:39 . 2004-08-19 13:39 151552 c:\windows\regedit.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ .exe" [N/A]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmi\real\realplayer\update\realsched.exe" [2010-11-18 274608]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-09 150040]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-09 150040]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-09 178712]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ISUSPM"="c:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]
LG SyncManager.lnk - c:\h7??\LGSyncManager.exe [N/A]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 04:03 74752 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
c:\progra~1\ALWILS~1\Avast5\avastUI.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\FlashGet\\FlashGet.exe"=
"c:\\Programmi\\Motorola\\RSD Lite\\SDL.exe"=
"c:\\Programmi\\Motorola\\Software Update\\msu.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Programmi\\Port Forwarding Wizard\\bin\\Port Forwarding Wizard.exe"=
"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 MotoConnect Service;MotoConnect Service;c:\programmi\Motorola\MotoConnectService\MotoConnectService.exe [2010-01-27 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 30008]
R3 esgiguard;esgiguard; [x]
R3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2006-10-18 33024]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programmi\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1\RpcAgentSrv.exe [2008-11-03 98488]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2008-01-10 44160]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (02);c:\windows\system32\DRIVERS\SWNC8U02.sys [2008-01-31 165248]
R3 SWUMX02;HP hs2300 USB MUX Driver (02);c:\windows\system32\DRIVERS\swumx02.sys [2008-01-31 142976]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 GhPciScan;GhostPciScanner;c:\programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-05-28 5632]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-07-24 38816]
S1 RsvLock;RsvLock; [x]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 gupdate1ca0e044ffa000;Servizio di Google Update (gupdate1ca0e044ffa000);c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 133104]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-24 41216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contenuto della cartella 'Scheduled Tasks'
2011-01-15 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 16:12]
2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
2010-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: &Scarica con FlashGet - c:\programmi\FlashGet\jc_link.htm
IE: &Scarica tutto con FlashGet - c:\programmi\FlashGet\jc_all.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
DPF: {2C546582-48CE-4890-9C88-B2665B125E15} - hxxp://www.registrywinner.com/RWOnline.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 19:07
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(424)
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'explorer.exe'(3560)
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\IFXTCS.exe
c:\programmi\Ahead\InCD\InCDsrv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IfxPsdSv.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\programmi\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2011-01-15 19:08:49 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2011-01-15 18:08
ComboFix2.txt 2011-01-14 18:50
ComboFix3.txt 2011-01-14 16:27
ComboFix4.txt 2011-01-14 14:42
ComboFix5.txt 2011-01-15 17:19
Pre-Run: 315.625.472 byte disponibili
Post-Run: 281.006.080 byte disponibili
- - End Of File - - FCDDFAE2894BFA8BB34323F7C8EADDE4
Here is the log.
ComboFix 11-01-14.01 - Iggy 15/01/2011 18.57.52.17.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2039.1668 [GMT 1:00]
Eseguito da: c:\documents and settings\Iggy\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Iggy\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\config\systemprofile\Dati applicazioni\download2
.
((((((((((((((((((((((((( Files Creati Da 2010-12-15 al 2011-01-15 )))))))))))))))))))))))))))))))))))
.
2011-01-14 11:47 . 2011-01-14 11:47 -------- d-----w- C:\RecoveryCD
2011-01-12 14:56 . 2011-01-12 14:56 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-12 12:14 . 2004-08-03 22:14 359040 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2011-01-12 12:14 . 2004-08-03 22:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-01-10 12:23 . 2011-01-10 12:33 -------- d-----w- c:\documents and settings\Iggy\Impostazioni locali\Dati applicazioni\Promosoft Corporation
2011-01-10 11:47 . 2011-01-10 11:47 -------- d-----w- c:\programmi\Trend Micro
2011-01-08 20:42 . 2011-01-08 20:42 -------- d-----w- c:\programmi\Pc Optimizer 360
2011-01-05 17:42 . 2004-08-19 08:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-01-05 17:42 . 2004-08-19 08:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-01-05 15:58 . 2011-01-08 21:06 -------- d-----w- c:\programmi\CCleaner
2011-01-04 22:07 . 2004-08-19 14:39 1034752 ----a-w- c:\windows\explorer.exe
2011-01-03 18:10 . 2011-01-03 18:10 -------- d-----w- C:\Venus11
2011-01-01 18:26 . 2011-01-01 18:26 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 15:29 . 2010-12-27 15:29 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Identities
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- C:\sh4ldr
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- c:\programmi\Enigma Software Group
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-25 17:41 . 2010-12-25 22:37 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-25 16:47 . 2010-12-25 19:44 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2010-12-25 16:47 . 2010-12-25 17:38 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2010-12-24 15:48 . 2010-12-24 15:48 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-23 09:27 . 2010-12-23 09:27 -------- d-----w- c:\programmi\Admiresoft
2010-12-22 18:50 . 2010-12-22 18:51 -------- d-----w- C:\Bilan11
2010-12-17 11:29 . 2010-12-17 11:30 -------- d-----w- c:\programmi\Hide IP NG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 15:20 . 2009-07-26 10:49 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-12-08 15:36 . 2010-12-08 15:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-08 15:36 . 2010-05-04 09:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
1998-02-10 16:34 . 2009-07-29 14:11 128000 ----a-w- c:\programmi\UNWISE.EXE
.
<pre> c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\Skype\Phone\Skype .exe </pre>
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-01-05_16.16.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-31 12:00 . 2011-01-05 16:06 91988 c:\windows\system32\perfc010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 91988 c:\windows\system32\perfc010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 76978 c:\windows\system32\perfc009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 76978 c:\windows\system32\perfc009.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 508156 c:\windows\system32\perfh010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 508156 c:\windows\system32\perfh010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 459256 c:\windows\system32\perfh009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 459256 c:\windows\system32\perfh009.dat
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\system32\dllcache\regedit.exe
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\regedit.exe
- 2004-08-19 13:39 . 2004-08-19 13:39 151552 c:\windows\regedit.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ .exe" [N/A]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmi\real\realplayer\update\realsched.exe" [2010-11-18 274608]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-09 150040]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-09 150040]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-09 178712]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ISUSPM"="c:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]
LG SyncManager.lnk - c:\h7??\LGSyncManager.exe [N/A]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 04:03 74752 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
c:\progra~1\ALWILS~1\Avast5\avastUI.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\FlashGet\\FlashGet.exe"=
"c:\\Programmi\\Motorola\\RSD Lite\\SDL.exe"=
"c:\\Programmi\\Motorola\\Software Update\\msu.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Programmi\\Port Forwarding Wizard\\bin\\Port Forwarding Wizard.exe"=
"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 MotoConnect Service;MotoConnect Service;c:\programmi\Motorola\MotoConnectService\MotoConnectService.exe [2010-01-27 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 30008]
R3 esgiguard;esgiguard; [x]
R3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2006-10-18 33024]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programmi\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1\RpcAgentSrv.exe [2008-11-03 98488]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2008-01-10 44160]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (02);c:\windows\system32\DRIVERS\SWNC8U02.sys [2008-01-31 165248]
R3 SWUMX02;HP hs2300 USB MUX Driver (02);c:\windows\system32\DRIVERS\swumx02.sys [2008-01-31 142976]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 GhPciScan;GhostPciScanner;c:\programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-05-28 5632]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-07-24 38816]
S1 RsvLock;RsvLock; [x]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 gupdate1ca0e044ffa000;Servizio di Google Update (gupdate1ca0e044ffa000);c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 133104]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-24 41216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contenuto della cartella 'Scheduled Tasks'
2011-01-15 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 16:12]
2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
2010-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: &Scarica con FlashGet - c:\programmi\FlashGet\jc_link.htm
IE: &Scarica tutto con FlashGet - c:\programmi\FlashGet\jc_all.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
DPF: {2C546582-48CE-4890-9C88-B2665B125E15} - hxxp://www.registrywinner.com/RWOnline.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 19:07
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(424)
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'explorer.exe'(3560)
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\IFXTCS.exe
c:\programmi\Ahead\InCD\InCDsrv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IfxPsdSv.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\programmi\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2011-01-15 19:08:49 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2011-01-15 18:08
ComboFix2.txt 2011-01-14 18:50
ComboFix3.txt 2011-01-14 16:27
ComboFix4.txt 2011-01-14 14:42
ComboFix5.txt 2011-01-15 17:19
Pre-Run: 315.625.472 byte disponibili
Post-Run: 281.006.080 byte disponibili
- - End Of File - - FCDDFAE2894BFA8BB34323F7C8EADDE4
#40
Posted 15 January 2011 - 04:57 PM
Hi iggyboy,
Step One
Please download VundoFix.exe to your desktop
Step Two
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Step Three
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
Step One
Please download VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Step Two
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Step Three
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
#41
Posted 15 January 2011 - 05:55 PM
Hi!
Vundo gave 0 found
-----------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Versione database: 5363
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
16/01/2011 0.32.18
mbam-log-2011-01-16 (00-32-18).txt
Tipo di scansione: Scansione veloce
Elementi esaminati: 145730
Tempo trascorso: 2 minuti, 4 secondi
Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 0
Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)
Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)
Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)
Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)
Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)
Cartelle infette:
(Non sono stati rilevati elementi nocivi)
File infetti:
(Non sono stati rilevati elementi nocivi)
I'm going to bed,local time 00.55
Bye,Iggy
Vundo gave 0 found
-----------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Versione database: 5363
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
16/01/2011 0.32.18
mbam-log-2011-01-16 (00-32-18).txt
Tipo di scansione: Scansione veloce
Elementi esaminati: 145730
Tempo trascorso: 2 minuti, 4 secondi
Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 0
Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)
Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)
Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)
Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)
Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)
Cartelle infette:
(Non sono stati rilevati elementi nocivi)
File infetti:
(Non sono stati rilevati elementi nocivi)
I'm going to bed,local time 00.55
Bye,Iggy
Attached Files
#42
Posted 16 January 2011 - 06:05 AM
Hi iggyboy,
Step One
After we're finished cleaning up your computer, you'need to reinstall Adobe and Skype programs.
Step Two
Upgrading your windows to SP3 will replace any other missing files and correct borked settings.
Tell me if this solves the problem.
Step One
After we're finished cleaning up your computer, you'need to reinstall Adobe and Skype programs.
- Re-run AVPTool
- Select the Manual Disinfection tab
- Where it states Step 3 paste in the following disinfection script and press execute
begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteFileMask(‘c:\programmi\Skype’,'*.*',true); DeleteFileMask(‘c:\programmi\File comuni\Adobe’,'*.*',true); DeleteDirectory(‘c:\programmi\Skype’); DeleteDirectory(‘c:\programmi\File comuni\Adobe’); ExecuteSysClean; BC_Activate; end.
- Your system will reboot on completion, if it does not please do so yourself
Step Two
Upgrading your windows to SP3 will replace any other missing files and correct borked settings.
- Download Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers.
- Copy the download to the ailing computer for installation .
- To start the installation immediately, click Open or Run this program from its current location.
Tell me if this solves the problem.
#43
Posted 18 January 2011 - 04:49 PM
Sorry my friend,it didn't solve the problem.I tried anything according to microsoft site,but it's no more virus problem.I think that registry keys concerning DHCP,TCPIP,WINSOCK are corrupted and no recovery is possible.I'm sure I have to be grateful to some [bleep]ed anti-malware and registry-cleaner.I repeat,I tried the impossible.I will try to post again in the OS forum section.It seems impossible that after more than 15 years Windows OS be so vulnerable.I thank you very much for your support.
#44
Posted 19 January 2011 - 01:59 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users