Tech Support Forum - View Single Post

Fantuccio · 11-04-2008, 06:57 AM

Here you are, I followed your instructions step by step and I encountered no issues. Thanks for the nice and complete reply.

EDIT: when I re-enabled my antivirus, it popped a pair of notifications of virus found, like these:

C:\System Volume Information\_restore{78F7728A-B778-4E4E-B6F1-DA889AE06910}\RP998\A0283479.exe
C:\System Volume Information\_restore{78F7728A-B778-4E4E-B6F1-DA889AE06910}\RP998\A0283469.sys

I don't know if the cewmd.dll and these are linked...

First the log from ComboFix and after the Hijackthis log.

ComboFix 08-11-03.04 - Enrico Fantini 2008-11-04 14:16:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1417 [GMT 1:00]
Eseguito da: c:\documents and settings\Enrico Fantini\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Enrico Fantini\Impostazioni locali\Temporary Internet Files\ijjistarter2FxB.exe
c:\programmi\msupdate
c:\programmi\msupdate\a.zip
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\system32\blphcghqj0er1l.scr
c:\windows\system32\bszip.dll
c:\windows\SYSTEM32\DRIVERS\31.exe
c:\windows\SYSTEM32\DRIVERS\437.exe
c:\windows\SYSTEM32\DRIVERS\453.exe
c:\windows\SYSTEM32\DRIVERS\718.exe
c:\windows\SYSTEM32\DRIVERS\828.exe
c:\windows\system32\drivers\Winaw10.sys
c:\windows\system32\drivers\Windi33.sys
c:\windows\System32\drivers\Winkp05.sys
c:\windows\system32\drivers\Winlj36.sys
c:\windows\system32\drivers\Winyh62.sys
c:\windows\system32\MSINET.oca
c:\windows\system32\P2P Networking v126.cpl
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\cewmd.dll . . . . Eliminazione Fallita

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Legacy_WINAW10
-------\Legacy_WINDI33
-------\Legacy_WINKP05
-------\Legacy_WINLJ36
-------\Legacy_WINYH62
-------\Service_NPF
-------\Service_oreans32
-------\Service_Winaw10
-------\Service_Windi33
-------\Service_Winkp05
-------\Service_Winlj36
-------\Service_Winyh62

((((((((((((((((((((((((( Files Creati Da 2008-10-04 al 2008-11-04 )))))))))))))))))))))))))))))))))))
.

2008-11-02 00:50 . 2008-11-02 00:50 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-02 00:50 . 2008-11-02 00:50 1,409 --a------ c:\windows\QTFont.for
2008-11-01 11:59 . 2008-11-01 11:59 <DIR> d-------- C:\rsit
2008-11-01 11:27 . 2008-11-01 11:27 250 --a------ c:\windows\gmer.ini
2008-11-01 10:57 . 2008-11-01 11:08 <DIR> d-------- c:\programmi\Unlocker
2008-11-01 10:55 . 2008-11-01 10:57 <DIR> d-------- c:\programmi\FileASSASSIN
2008-10-29 13:35 . 2008-10-29 13:35 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage
2008-10-22 12:32 . 18,688 c:\windows\SYSTEM32\DRIVERS\jgjdfuls.dat
2008-10-22 12:32 . 5,120 c:\windows\SYSTEM32\DRIVERS\mcxtjued.dat
2008-10-18 18:43 . 2006-10-18 21:47 93,184 --a------ c:\windows\SYSTEM32\cewmd.dll
2008-10-15 21:39 . 2008-10-15 21:39 208 --a------ c:\windows\SYSTEM32\MRT.INI
2008-10-09 16:09 . 2008-10-09 19:38 <DIR> d-------- c:\programmi\World of Warcraft Public Test
2008-10-09 16:00 . 2008-10-09 16:00 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Blizzard
2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ c:\windows\SYSTEM32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 09:30 --------- d-----w c:\programmi\eMule
2008-10-27 16:00 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\uTorrent
2008-10-23 09:19 --------- d-s---w c:\programmi\Xfire
2008-10-22 17:42 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Xfire
2008-10-22 12:10 --------- d-----w c:\programmi\World of Warcraft
2008-10-17 12:05 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Skype
2008-10-15 20:37 0 ----a-w c:\windows\system32\drivers\Winye65.sys
2008-10-15 20:37 0 ----a-w c:\windows\system32\drivers\Winro43.sys
2008-10-15 11:56 --------- d-----w c:\programmi\NCSoft
2008-10-13 12:51 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-09 15:58 --------- d-----w c:\programmi\File comuni\Blizzard Entertainment
2008-10-09 15:03 --------- d-----w c:\programmi\ThriXXX
2008-10-07 19:35 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\teamspeak2
2008-10-03 20:53 --------- d-----w c:\programmi\Microsoft SQL Server
2008-10-02 20:50 --------- d-----w c:\programmi\Microsoft CAPICOM 2.1.0.2
2008-10-01 13:55 --------- d-----w c:\programmi\MessengerDiscovery
2008-10-01 13:48 --------- d-----w c:\programmi\Messenger Plus! Live
2008-10-01 13:48 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2008-10-01 13:44 --------- d-----w c:\programmi\MSN Messenger
2008-10-01 12:59 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-10-01 12:57 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-10-01 12:44 --------- d-----w c:\programmi\Windows Live
2008-10-01 12:13 --------- d-----w c:\programmi\StuffPlug3
2008-09-28 14:08 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-09-28 14:07 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\GetRightToGo
2008-09-21 09:41 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\SecondLife
2008-09-18 11:56 --------- d-----w c:\programmi\Microsoft LifeChat
2008-09-09 10:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\ATI
2008-09-09 10:21 --------- d-----w c:\programmi\ATI Technologies
2008-09-09 08:59 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\atitray
2008-09-07 22:29 --------- d-----w c:\programmi\SystemRequirementsLab
2007-09-11 22:19 22,328 ----a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\PnkBstrK.sys
2006-05-29 15:39 36,816 -c--a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\GDIPFONTCACHEV1.DAT
2005-06-19 09:04 32 -c--a-r c:\documents and settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E00AB23-3C82-4C02-B18F-40F44636EE49}]
2006-10-18 21:47 93184 --a------ c:\windows\system32\cewmd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DMXLauncher"="c:\programmi\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools"="c:\programmi\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"snpstd"="c:\windows\vsnpstd.exe" [2004-05-10 286720]
"WinampAgent"="c:\programmi\Winamp\winampa.exe" [2007-05-14 35328]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LifeChat"="c:\programmi\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-07-29 155648]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
"Spyware Doctor"="c:\programmi\Spyware Doctor\swdoctor.exe" [2007-03-28 2115728]

c:\documents and settings\Enrico Fantini\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-12 113664]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Logitech SetPoint.lnk - c:\programmi\Logitech\SetPoint\KEM.exe [2005-10-22 581632]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winac71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbv25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincp30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windg73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winev41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfi22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfw16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl60.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winin31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka81.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkd12.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkm50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winll36.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmc18.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmj70.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnd42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winoj67.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpa76.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpf74.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsk41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsl22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuf68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winus47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye65.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Programmi\\GameSpy Arcade\\Aphex.exe"=
"c:\\Programmi\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"c:\\Programmi\\Xfire\\Xfire.exe"=
"c:\\Programmi\\SHOUTcast\\sc_serv.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\YVD\\n00b-IRC.exe"=
"c:\\Programmi\\YVD\\YGO Virtual Desktop V086.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\FantasyGrounds\\FantasyGrounds.exe"=
"c:\\Programmi\\VoipStunt\\VoipStunt\\VoipStunt.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Programmi\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\Desctozz\\RPGONLINE\\RPGONLINE\\RPGOnline.exe"=
"m:\\NeverwinterNights\\NWN\\nwmain.exe"=
"m:\\FEAR\\FEAR.exe"=
"c:\\Programmi\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"=
"c:\\Programmi\\NetMeeting\\CONF.EXE"=
"c:\\Programmi\\Winamp\\winamp.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Programmi\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"c:\\Programmi\\Last.fm\\LastFM.exe"=
"m:\\WoWServer\\wamp\\Apache2\\bin\\httpd.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\ascent1722\\Ascent1722\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent Rev2355\\Ascent Rev2355\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Rev2902\\Rev2902\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\ascent.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\voicechat.exe"=
"c:\\Programmi\\World of Warcraft\\BackgroundDownloader.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Programmi\\TmNationsForever\\TmForever.exe"=
"c:\\Programmi\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"m:\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Programmi\\The All-Seeing Eye\\eye.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\World of Warcraft\\WoW-2.4.3.8568-to-3.0.2.8916-enGB-downloader.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2350:TCP"= 2350:TCP:TMNations1
"3450:TCP"= 3450:TCP:TMNations2
"2350:UDP"= 2350:UDP:TMNationsUDP1
"3450:UDP"= 3450:UDP:TMNationsUDP2
"6370:TCP"= 6370:TCP:*:Disabled:ppLive
"7251:UDP"= 7251:UDP:*:Disabled:ppLive
"3204:TCP"= 3204:TCP:*:Disabled:ppLive
"2588:UDP"= 2588:UDP:*:Disabled:ppLive
"7624:TCP"= 7624:TCP:*:Disabled:ppLive
"4565:UDP"= 4565:UDP:*:Disabled:ppLive
"5340:TCP"= 5340:TCP:WarRockTCP
"5350:UDP"= 5350:UDP:WarRockUDP
"8000:TCP"= 8000:TCP:Winamp
"8000:UDP"= 8000:UDP:Winamp
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 knpmuykl;knpmuykl;c:\windows\system32\drivers\jgjdfuls.dat [ ]
R3 RXG350XP;Roper 802.11g XG350 Driver;c:\windows\system32\DRIVERS\WlanCTG.sys [2005-05-26 481664]
S0 Windg73;Windg73;c:\windows\system32\Drivers\Windg73.sys [ ]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\Drivers\spyemrg.sys [ ]
S3 adxapie;adxapie;c:\docume~1\ENRICO~1\IMPOST~1\Temp\adxapie.sys [ ]
S3 wampapache;wampapache;m:\wowserver\wamp\apache2\bin\httpd.exe [2007-09-05 24635]
S3 wampmysqld;wampmysqld;m:\wowserver\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 5730304]
S3 Winac71;Winac71;c:\windows\System32\drivers\Winac71.sys [ ]
S3 Winbv25;Winbv25;c:\windows\System32\drivers\Winbv25.sys [ ]
S3 Wincp30;Wincp30;c:\windows\System32\drivers\Wincp30.sys [ ]
S3 Winev41;Winev41;c:\windows\System32\drivers\Winev41.sys [ ]
S3 Winfi22;Winfi22;c:\windows\System32\drivers\Winfi22.sys [ ]
S3 Winfw16;Winfw16;c:\windows\System32\drivers\Winfw16.sys [ ]
S3 Wingl60;Wingl60;c:\windows\System32\drivers\Wingl60.sys [ ]
S3 Winin31;Winin31;c:\windows\System32\drivers\Winin31.sys [ ]
S3 Winka47;Winka47;c:\windows\System32\drivers\Winka47.sys [ ]
S3 Winka81;Winka81;c:\windows\System32\drivers\Winka81.sys [ ]
S3 Winkd12;Winkd12;c:\windows\System32\drivers\Winkd12.sys [ ]
S3 Winkm50;Winkm50;c:\windows\System32\drivers\Winkm50.sys [ ]
S3 Winll36;Winll36;c:\windows\System32\drivers\Winll36.sys [ ]
S3 Winmc18;Winmc18;c:\windows\System32\drivers\Winmc18.sys [ ]
S3 Winmj70;Winmj70;c:\windows\System32\drivers\Winmj70.sys [ ]
S3 Winnd42;Winnd42;c:\windows\System32\drivers\Winnd42.sys [ ]
S3 Winoj67;Winoj67;c:\windows\System32\drivers\Winoj67.sys [ ]
S3 Winpa76;Winpa76;c:\windows\System32\drivers\Winpa76.sys [ ]
S3 Winpf74;Winpf74;c:\windows\System32\drivers\Winpf74.sys [ ]
S3 Winsk41;Winsk41;c:\windows\System32\drivers\Winsk41.sys [ ]
S3 Winsl22;Winsl22;c:\windows\System32\drivers\Winsl22.sys [ ]
S3 Winuc41;Winuc41;c:\windows\System32\drivers\Winuc41.sys [ ]
S3 Winuf68;Winuf68;c:\windows\System32\drivers\Winuf68.sys [ ]
S3 Winus47;Winus47;c:\windows\System32\drivers\Winus47.sys [ ]
S3 Winye65;Winye65;c:\windows\System32\drivers\Winye65.sys [2008-10-15 0]
.
Contenuto della cartella 'Scheduled Tasks'

2008-09-18 c:\windows\Tasks\LifeChatTask.job
- c:\programmi\Microsoft LifeChat\LifeChat.exe [2008-08-21 10:16]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-BitTorrent - c:\programmi\BitTorrent\bittorrent.exe
HKLM-Run-DVDLauncher - c:\programmi\CyberLink\PowerDVD\DVDLauncher.exe
HKLM-Run-LogonStudio - c:\programmi\WinCustomize\LogonStudio\logonstudio.exe
HKLM-Run-lphcghqj0er1l - c:\windows\system32\lphcghqj0er1l.exe
Notify-AutorunsDisabled - c:\windows\system32\NavLogon.dll c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll wingdm32.dll
SafeBoot-Winkp05.sys
SafeBoot-Winro43.sys

.
------- Supplementare di scansione -------
.
FireFox -: Profile - c:\documents and settings\Enrico Fantini\Dati applicazioni\Mozilla\Firefox\Profiles\66luhjkg.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT396646&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.it/
FF -: plugin - c:\programmi\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 14:27:18
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

c:\docume~1\ENRICO~1\IMPOST~1\Temp\tzk9.tmp 797 bytes

Scansione completata con successo
Files nascosti: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\knpmuykl]
"ImagePath"="system32\drivers\jgjdfuls.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: c:\windows\explorer.exe
-> c:\programmi\Unlocker\UnlockerHook.dll
-> c:\programmi\Logitech\SetPoint\lgscroll.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\programmi\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\programmi\Spyware Doctor\sdhelp.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\programmi\iPod\bin\iPodService.exe
c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
c:\programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\SYSTEM32\WGATray.exe
c:\programmi\Logitech\SetPoint\KHALMNPR.exe
c:\programmi\File comuni\PCSuite\Services\ServiceLayer.exe
c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\programmi\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Ora fine scansione: 2008-11-04 14:53:27 - macchina è stato riavviato [Enrico Fantini]
ComboFix-quarantined-files.txt 2008-11-04 13:53:19

Pre-Run: 20,935,532,544 byte disponibili
Post-Run: 21,546,213,376 byte disponibili

369 --- E O F --- 2008-11-03 21:50:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.55.28, on 04/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Microsoft LifeChat\LifeChat.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Programmi\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E00AB23-3C82-4C02-B18F-40F44636EE49} - C:\WINDOWS\system32\cewmd.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programmi\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LifeChat] "C:\Programmi\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: wampapache - Apache Software Foundation - M:\WoWServer\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - M:\WoWServer\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 10802 bytes

11-04-2008, 06:57 AM	#3 (permalink)
Fantuccio Registered User Join Date: Nov 2008 Posts: 8 OS: Win XP Home, SP2	Re: File cannot be deleted: cewmd.dll Here you are, I followed your instructions step by step and I encountered no issues. Thanks for the nice and complete reply. EDIT: when I re-enabled my antivirus, it popped a pair of notifications of virus found, like these: C:\System Volume Information\_restore{78F7728A-B778-4E4E-B6F1-DA889AE06910}\RP998\A0283479.exe C:\System Volume Information\_restore{78F7728A-B778-4E4E-B6F1-DA889AE06910}\RP998\A0283469.sys I don't know if the cewmd.dll and these are linked... First the log from ComboFix and after the Hijackthis log. ComboFix 08-11-03.04 - Enrico Fantini 2008-11-04 14:16:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1417 [GMT 1:00] Eseguito da: c:\documents and settings\Enrico Fantini\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((( Altre eliminazioni ))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Enrico Fantini\Impostazioni locali\Temporary Internet Files\ijjistarter2FxB.exe c:\programmi\msupdate c:\programmi\msupdate\a.zip c:\windows\Fonts\acrsec.fon c:\windows\Fonts\acrsecB.fon c:\windows\Fonts\acrsecI.fon c:\windows\system32\blphcghqj0er1l.scr c:\windows\system32\bszip.dll c:\windows\SYSTEM32\DRIVERS\31.exe c:\windows\SYSTEM32\DRIVERS\437.exe c:\windows\SYSTEM32\DRIVERS\453.exe c:\windows\SYSTEM32\DRIVERS\718.exe c:\windows\SYSTEM32\DRIVERS\828.exe c:\windows\system32\drivers\Winaw10.sys c:\windows\system32\drivers\Windi33.sys c:\windows\System32\drivers\Winkp05.sys c:\windows\system32\drivers\Winlj36.sys c:\windows\system32\drivers\Winyh62.sys c:\windows\system32\MSINET.oca c:\windows\system32\P2P Networking v126.cpl c:\windows\system32\WinCtrl32.dl_ c:\windows\system32\WinCtrl32.dll c:\windows\system32\cewmd.dll . . . . Eliminazione Fallita . ((((((((((((((((((((((((((((((((((((((( Driver/Servizi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Legacy_OREANS32 -------\Legacy_WINAW10 -------\Legacy_WINDI33 -------\Legacy_WINKP05 -------\Legacy_WINLJ36 -------\Legacy_WINYH62 -------\Service_NPF -------\Service_oreans32 -------\Service_Winaw10 -------\Service_Windi33 -------\Service_Winkp05 -------\Service_Winlj36 -------\Service_Winyh62 ((((((((((((((((((((((((( Files Creati Da 2008-10-04 al 2008-11-04 ))))))))))))))))))))))))))))))))))) . 2008-11-02 00:50 . 2008-11-02 00:50 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-02 00:50 . 2008-11-02 00:50 1,409 --a------ c:\windows\QTFont.for 2008-11-01 11:59 . 2008-11-01 11:59 <DIR> d-------- C:\rsit 2008-11-01 11:27 . 2008-11-01 11:27 250 --a------ c:\windows\gmer.ini 2008-11-01 10:57 . 2008-11-01 11:08 <DIR> d-------- c:\programmi\Unlocker 2008-11-01 10:55 . 2008-11-01 10:57 <DIR> d-------- c:\programmi\FileASSASSIN 2008-10-29 13:35 . 2008-10-29 13:35 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage 2008-10-22 12:32 . 18,688 c:\windows\SYSTEM32\DRIVERS\jgjdfuls.dat 2008-10-22 12:32 . 5,120 c:\windows\SYSTEM32\DRIVERS\mcxtjued.dat 2008-10-18 18:43 . 2006-10-18 21:47 93,184 --a------ c:\windows\SYSTEM32\cewmd.dll 2008-10-15 21:39 . 2008-10-15 21:39 208 --a------ c:\windows\SYSTEM32\MRT.INI 2008-10-09 16:09 . 2008-10-09 19:38 <DIR> d-------- c:\programmi\World of Warcraft Public Test 2008-10-09 16:00 . 2008-10-09 16:00 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Blizzard 2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ c:\windows\SYSTEM32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-01 09:30 --------- d-----w c:\programmi\eMule 2008-10-27 16:00 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\uTorrent 2008-10-23 09:19 --------- d-s---w c:\programmi\Xfire 2008-10-22 17:42 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Xfire 2008-10-22 12:10 --------- d-----w c:\programmi\World of Warcraft 2008-10-17 12:05 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Skype 2008-10-15 20:37 0 ----a-w c:\windows\system32\drivers\Winye65.sys 2008-10-15 20:37 0 ----a-w c:\windows\system32\drivers\Winro43.sys 2008-10-15 11:56 --------- d-----w c:\programmi\NCSoft 2008-10-13 12:51 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-10-09 15:58 --------- d-----w c:\programmi\File comuni\Blizzard Entertainment 2008-10-09 15:03 --------- d-----w c:\programmi\ThriXXX 2008-10-07 19:35 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\teamspeak2 2008-10-03 20:53 --------- d-----w c:\programmi\Microsoft SQL Server 2008-10-02 20:50 --------- d-----w c:\programmi\Microsoft CAPICOM 2.1.0.2 2008-10-01 13:55 --------- d-----w c:\programmi\MessengerDiscovery 2008-10-01 13:48 --------- d-----w c:\programmi\Messenger Plus! Live 2008-10-01 13:48 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus! 2008-10-01 13:44 --------- d-----w c:\programmi\MSN Messenger 2008-10-01 12:59 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller 2008-10-01 12:57 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller 2008-10-01 12:44 --------- d-----w c:\programmi\Windows Live 2008-10-01 12:13 --------- d-----w c:\programmi\StuffPlug3 2008-09-28 14:08 --------- d--h--w c:\programmi\InstallShield Installation Information 2008-09-28 14:07 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\GetRightToGo 2008-09-21 09:41 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\SecondLife 2008-09-18 11:56 --------- d-----w c:\programmi\Microsoft LifeChat 2008-09-09 10:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\ATI 2008-09-09 10:21 --------- d-----w c:\programmi\ATI Technologies 2008-09-09 08:59 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\atitray 2008-09-07 22:29 --------- d-----w c:\programmi\SystemRequirementsLab 2007-09-11 22:19 22,328 ----a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\PnkBstrK.sys 2006-05-29 15:39 36,816 -c--a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\GDIPFONTCACHEV1.DAT 2005-06-19 09:04 32 -c--a-r c:\documents and settings\All Users\hash.dat . ((((((((((((((((((((((((((((((((((((( Punti Reg Caricati )))))))))))))))))))))))))))))))))))))))))))))))))) . . Nota i valori vuoti & legittimi/default non sono visualizzati. REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E00AB23-3C82-4C02-B18F-40F44636EE49}] 2006-10-18 21:47 93184 --a------ c:\windows\system32\cewmd.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "DMXLauncher"="c:\programmi\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "DAEMON Tools"="c:\programmi\DAEMON Tools\daemon.exe" [2005-11-08 128920] "BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336] "iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2005-12-20 278528] "snpstd"="c:\windows\vsnpstd.exe" [2004-05-10 286720] "WinampAgent"="c:\programmi\Winamp\winampa.exe" [2007-05-14 35328] "PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376] "StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "LifeChat"="c:\programmi\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296] "QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-07-29 155648] "UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 c:\windows\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360] "Spyware Doctor"="c:\programmi\Spyware Doctor\swdoctor.exe" [2007-03-28 2115728] c:\documents and settings\Enrico Fantini\Menu Avvio\Programmi\Esecuzione automatica\ Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-12 113664] c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\ Logitech SetPoint.lnk - c:\programmi\Logitech\SetPoint\KEM.exe [2005-10-22 581632] Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winac71.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbv25.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincp30.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windg73.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winev41.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfi22.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfw16.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl60.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winin31.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka47.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka81.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkd12.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkm50.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winll36.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmc18.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmj70.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnd42.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winoj67.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpa76.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpf74.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsk41.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsl22.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc41.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuf68.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winus47.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye65.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programmi\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "c:\\Programmi\\GameSpy Arcade\\Aphex.exe"= "c:\\Programmi\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"= "c:\\Programmi\\Xfire\\Xfire.exe"= "c:\\Programmi\\SHOUTcast\\sc_serv.exe"= "c:\\Programmi\\Mozilla Firefox\\firefox.exe"= "c:\\Programmi\\YVD\\n00b-IRC.exe"= "c:\\Programmi\\YVD\\YGO Virtual Desktop V086.exe"= "c:\\Programmi\\iTunes\\iTunes.exe"= "c:\\StubInstaller.exe"= "c:\\Programmi\\LimeWire\\LimeWire.exe"= "c:\\Programmi\\FantasyGrounds\\FantasyGrounds.exe"= "c:\\Programmi\\VoipStunt\\VoipStunt\\VoipStunt.exe"= "c:\\Program Files\\Apprentice\\Appr.exe"= "c:\\Programmi\\uTorrent\\utorrent.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\Desctozz\\RPGONLINE\\RPGONLINE\\RPGOnline.exe"= "m:\\NeverwinterNights\\NWN\\nwmain.exe"= "m:\\FEAR\\FEAR.exe"= "c:\\Programmi\\mIRC\\mirc.exe"= "c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"= "c:\\Programmi\\NetMeeting\\CONF.EXE"= "c:\\Programmi\\Winamp\\winamp.exe"= "c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"= "c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"= "c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"= "c:\\Programmi\\MessengerDiscovery\\MessengerDiscovery Live.exe"= "c:\\Programmi\\Last.fm\\LastFM.exe"= "m:\\WoWServer\\wamp\\Apache2\\bin\\httpd.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\ascent1722\\Ascent1722\\logonserver.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent Rev2355\\Ascent Rev2355\\logonserver.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Rev2902\\Rev2902\\logonserver.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\logonserver.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\ascent.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\logonserver.exe"= "c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\voicechat.exe"= "c:\\Programmi\\World of Warcraft\\BackgroundDownloader.exe"= "m:\\Assassin's Creed\\AssassinsCreed_Dx9.exe"= "m:\\Assassin's Creed\\AssassinsCreed_Dx10.exe"= "m:\\Assassin's Creed\\AssassinsCreed_Launcher.exe"= "c:\\Programmi\\TmNationsForever\\TmForever.exe"= "c:\\Programmi\\Shareaza Applications\\Shareaza\\Shareaza.exe"= "m:\\Call of Duty 2\\CoD2MP_s.exe"= "c:\\Programmi\\The All-Seeing Eye\\eye.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Programmi\\eMule\\emule.exe"= "c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"= "c:\\Programmi\\World of Warcraft\\WoW-2.4.3.8568-to-3.0.2.8916-enGB-downloader.exe"= "c:\\Programmi\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2350:TCP"= 2350:TCP:TMNations1 "3450:TCP"= 3450:TCP:TMNations2 "2350:UDP"= 2350:UDP:TMNationsUDP1 "3450:UDP"= 3450:UDP:TMNationsUDP2 "6370:TCP"= 6370:TCP::Disabled:ppLive "7251:UDP"= 7251:UDP::Disabled:ppLive "3204:TCP"= 3204:TCP::Disabled:ppLive "2588:UDP"= 2588:UDP::Disabled:ppLive "7624:TCP"= 7624:TCP::Disabled:ppLive "4565:UDP"= 4565:UDP::Disabled:ppLive "5340:TCP"= 5340:TCP:WarRockTCP "5350:UDP"= 5350:UDP:WarRockUDP "8000:TCP"= 8000:TCP:Winamp "8000:UDP"= 8000:UDP:Winamp "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 knpmuykl;knpmuykl;c:\windows\system32\drivers\jgjdfuls.dat [ ] R3 RXG350XP;Roper 802.11g XG350 Driver;c:\windows\system32\DRIVERS\WlanCTG.sys [2005-05-26 481664] S0 Windg73;Windg73;c:\windows\system32\Drivers\Windg73.sys [ ] S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\Drivers\spyemrg.sys [ ] S3 adxapie;adxapie;c:\docume~1\ENRICO~1\IMPOST~1\Temp\adxapie.sys [ ] S3 wampapache;wampapache;m:\wowserver\wamp\apache2\bin\httpd.exe [2007-09-05 24635] S3 wampmysqld;wampmysqld;m:\wowserver\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 5730304] S3 Winac71;Winac71;c:\windows\System32\drivers\Winac71.sys [ ] S3 Winbv25;Winbv25;c:\windows\System32\drivers\Winbv25.sys [ ] S3 Wincp30;Wincp30;c:\windows\System32\drivers\Wincp30.sys [ ] S3 Winev41;Winev41;c:\windows\System32\drivers\Winev41.sys [ ] S3 Winfi22;Winfi22;c:\windows\System32\drivers\Winfi22.sys [ ] S3 Winfw16;Winfw16;c:\windows\System32\drivers\Winfw16.sys [ ] S3 Wingl60;Wingl60;c:\windows\System32\drivers\Wingl60.sys [ ] S3 Winin31;Winin31;c:\windows\System32\drivers\Winin31.sys [ ] S3 Winka47;Winka47;c:\windows\System32\drivers\Winka47.sys [ ] S3 Winka81;Winka81;c:\windows\System32\drivers\Winka81.sys [ ] S3 Winkd12;Winkd12;c:\windows\System32\drivers\Winkd12.sys [ ] S3 Winkm50;Winkm50;c:\windows\System32\drivers\Winkm50.sys [ ] S3 Winll36;Winll36;c:\windows\System32\drivers\Winll36.sys [ ] S3 Winmc18;Winmc18;c:\windows\System32\drivers\Winmc18.sys [ ] S3 Winmj70;Winmj70;c:\windows\System32\drivers\Winmj70.sys [ ] S3 Winnd42;Winnd42;c:\windows\System32\drivers\Winnd42.sys [ ] S3 Winoj67;Winoj67;c:\windows\System32\drivers\Winoj67.sys [ ] S3 Winpa76;Winpa76;c:\windows\System32\drivers\Winpa76.sys [ ] S3 Winpf74;Winpf74;c:\windows\System32\drivers\Winpf74.sys [ ] S3 Winsk41;Winsk41;c:\windows\System32\drivers\Winsk41.sys [ ] S3 Winsl22;Winsl22;c:\windows\System32\drivers\Winsl22.sys [ ] S3 Winuc41;Winuc41;c:\windows\System32\drivers\Winuc41.sys [ ] S3 Winuf68;Winuf68;c:\windows\System32\drivers\Winuf68.sys [ ] S3 Winus47;Winus47;c:\windows\System32\drivers\Winus47.sys [ ] S3 Winye65;Winye65;c:\windows\System32\drivers\Winye65.sys [2008-10-15 0] . Contenuto della cartella 'Scheduled Tasks' 2008-09-18 c:\windows\Tasks\LifeChatTask.job - c:\programmi\Microsoft LifeChat\LifeChat.exe [2008-08-21 10:16] . - - - - ORFÃOS REMOVIDOS - - - - HKCU-Run-BitTorrent - c:\programmi\BitTorrent\bittorrent.exe HKLM-Run-DVDLauncher - c:\programmi\CyberLink\PowerDVD\DVDLauncher.exe HKLM-Run-LogonStudio - c:\programmi\WinCustomize\LogonStudio\logonstudio.exe HKLM-Run-lphcghqj0er1l - c:\windows\system32\lphcghqj0er1l.exe Notify-AutorunsDisabled - c:\windows\system32\NavLogon.dll c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll wingdm32.dll SafeBoot-Winkp05.sys SafeBoot-Winro43.sys . ------- Supplementare di scansione ------- . FireFox -: Profile - c:\documents and settings\Enrico Fantini\Dati applicazioni\Mozilla\Firefox\Profiles\66luhjkg.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT396646&SearchSource=3&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.it/ FF -: plugin - c:\programmi\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npijjiFFPlugin1.dll FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npmozax.dll FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npOGAPlugin.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-04 14:27:18 Windows 5.1.2600 Service Pack 2 NTFS scansione processi nascosti ... scansione entrate autostart nascoste ... Scansione files nascosti ... c:\docume~1\ENRICO~1\IMPOST~1\Temp\tzk9.tmp 797 bytes Scansione completata con successo Files nascosti: 1 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\knpmuykl] "ImagePath"="system32\drivers\jgjdfuls.dat" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- PROCESSO: c:\windows\explorer.exe -> c:\programmi\Unlocker\UnlockerHook.dll -> c:\programmi\Logitech\SetPoint\lgscroll.dll . ------------------------ Altri processi in esecuzione ------------------------ . c:\windows\SYSTEM32\ati2evxx.exe c:\windows\SYSTEM32\ati2evxx.exe c:\programmi\Lavasoft\Ad-Aware\aawservice.exe c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\windows\SYSTEM32\CTSVCCDA.EXE c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\windows\SYSTEM32\PnkBstrA.exe c:\programmi\Spyware Doctor\sdhelp.exe c:\programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\programmi\iPod\bin\iPodService.exe c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe c:\programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\SYSTEM32\WGATray.exe c:\programmi\Logitech\SetPoint\KHALMNPR.exe c:\programmi\File comuni\PCSuite\Services\ServiceLayer.exe c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\programmi\Java\jre1.6.0_05\bin\jucheck.exe . ************************************************************************ . Ora fine scansione: 2008-11-04 14:53:27 - macchina è stato riavviato [Enrico Fantini] ComboFix-quarantined-files.txt 2008-11-04 13:53:19 Pre-Run: 20,935,532,544 byte disponibili Post-Run: 21,546,213,376 byte disponibili 369 --- E O F --- 2008-11-03 21:50:04 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14.55.28, on 04/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programmi\Spyware Doctor\sdhelp.exe C:\Programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\alg.exe C:\Programmi\Analog Devices\Core\smax4pnp.exe C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe C:\Programmi\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe C:\Programmi\DAEMON Tools\daemon.exe C:\Programmi\iTunes\iTunesHelper.exe C:\WINDOWS\vsnpstd.exe C:\Programmi\iPod\bin\iPodService.exe C:\Programmi\Winamp\winampa.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Programmi\Microsoft LifeChat\LifeChat.exe C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Programmi\QuickTime\qttask.exe C:\Programmi\Unlocker\UnlockerAssistant.exe C:\Programmi\Logitech\SetPoint\KEM.exe C:\WINDOWS\system32\WgaTray.exe C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\system32\wuauclt.exe C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programmi\Java\jre1.6.0_05\bin\jucheck.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Programmi\Mozilla Firefox\firefox.exe C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\vptray.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Programmi\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0E00AB23-3C82-4C02-B18F-40F44636EE49} - C:\WINDOWS\system32\cewmd.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Programmi\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [LifeChat] "C:\Programmi\Microsoft LifeChat\LifeChat.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe O23 - Service: wampapache - Apache Software Foundation - M:\WoWServer\wamp\apache2\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - M:\WoWServer\wamp\mysql\bin\mysqld-nt.exe -- End of file - 10802 bytes Last edited by Fantuccio; 11-04-2008 at 07:23 AM.