Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page File cannot be deleted: cewmd.dll
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-01-2008, 04:07 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


File cannot be deleted: cewmd.dll
Hi guys, I'm new around here and I want to apologize first for the bad english (not my language :P). My antivirus keep spamming a "threat found" message, which directs to the system32/cewmd.dll file. This file cannot be deleted or moved in any way, though. Also, I'm having an issue with an icon in the lower right corner that sometimes pops out an ad (which opens an IE page, blocked by my antivir) that says "Warning Spyware detected" and random bullshits.

I got the logs requested in the instructions, here they are.

I'm sorry if I've done something wrong. I also have an Hijackthis log, but since it is not requested in the instructions thread I've not posted it. Just ask if you need it :)

log.exe

Logfile of random's system information tool 1.04 (written by random/random)
Run by Enrico Fantini at 2008-11-01 11:59:42
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 21 GB (14%) free of 150 GB
Total RAM: 2046 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.59.47, on 01/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\Microsoft LifeChat\LifeChat.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Programmi\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Enrico Fantini\Desktop\gmer.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\vpc32.exe
C:\Documents and Settings\Enrico Fantini\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmi\HijackThis\Enrico Fantini.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E00AB23-3C82-4C02-B18F-40F44636EE49} - C:\WINDOWS\system32\cewmd.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programmi\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LogonStudio] "C:\Programmi\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LifeChat] "C:\Programmi\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [advap32] C:\WINDOWS\system32\~.exe/r
O4 - HKLM\..\Run: [lphcghqj0er1l] C:\WINDOWS\system32\lphcghqj0er1l.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: wampapache - Apache Software Foundation - M:\WoWServer\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - M:\WoWServer\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 11379 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\LifeChatTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E00AB23-3C82-4C02-B18F-40F44636EE49}]
C:\WINDOWS\system32\cewmd.dll [2006-10-18 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]
PCTools Site Guard - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2006-08-01 825528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 118842]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}]
PCTools Browser Monitor - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2006-08-01 850104]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Programmi\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"SunJavaUpdateSched"=C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
""= []
"ATIPTA"=C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-25 339968]
"DVDLauncher"=C:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe []
"DMXLauncher"=C:\Programmi\Dell\Media Experience\DMXLauncher.exe [2005-01-27 86016]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-12-06 127035]
"ISUSPM Startup"=C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2004-11-13 114800]
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2004-06-08 29696]
"DAEMON Tools"=C:\Programmi\DAEMON Tools\daemon.exe [2005-11-08 128920]
"LogonStudio"=C:\Programmi\WinCustomize\LogonStudio\logonstudio.exe /RANDOM []
"BootSkin Startup Jobs"=C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe [2004-04-26 270336]
"iTunesHelper"=C:\Programmi\iTunes\iTunesHelper.exe [2005-12-20 278528]
"snpstd"=C:\WINDOWS\vsnpstd.exe [2004-05-10 286720]
"WinampAgent"=C:\Programmi\Winamp\winampa.exe [2007-05-14 35328]
"PCSuiteTrayApplication"=C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE [2006-06-15 229376]
"StartCCC"=C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]
"LifeChat"=C:\Programmi\Microsoft LifeChat\LifeChat.exe [2008-08-21 267296]
"QuickTime Task"=C:\Programmi\QuickTime\qttask.exe [2006-07-29 155648]
"advap32"=C:\WINDOWS\system32\~.exe/r []
"lphcghqj0er1l"=C:\WINDOWS\system32\lphcghqj0er1l.exe []
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"UnlockerAssistant"=C:\Programmi\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"=C:\Programmi\BitTorrent\bittorrent.exe --force_start_minimized []

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
Logitech SetPoint.lnk - C:\Programmi\Logitech\SetPoint\KEM.exe
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Enrico Fantini\Menu Avvio\Programmi\Esecuzione automatica
Adobe Gamma.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="wbsys.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-07-04 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AutorunsDisabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32]
C:\WINDOWS\system32\WinCtrl32.dll [2008-10-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-19 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winac71.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winaw10.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbv25.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincp30.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windg73.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winev41.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfi22.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfw16.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl60.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winin31.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka47.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka81.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkd12.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkm50.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winll36.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmc18.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmj70.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnd42.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winoj67.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpa76.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpf74.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winro43.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsk41.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsl22.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc41.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuf68.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winus47.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye65.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winac71.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winaw10.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winbv25.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wincp30.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Windg73.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winev41.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winfi22.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winfw16.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wingl60.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winin31.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winka47.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winka81.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winkd12.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winkm50.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winll36.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winmc18.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winmj70.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winnd42.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winoj67.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winpa76.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winpf74.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winro43.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winsk41.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winsl22.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winuc41.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winuf68.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winus47.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winye65.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Messenger\msmsgs.exe"="C:\Programmi\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Programmi\Skype\Skype.exe"="C:\Programmi\Skype\Skype.exe:*:Enabled:Skype"
"C:\WINDOWS\SYSTEM32\LEXPPS.EXE"="C:\WINDOWS\SYSTEM32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\Programmi\Call of Duty\CoDMP.exe"="C:\Programmi\Call of Duty\CoDMP.exe:*:Enabled:CoDMP"
"C:\NeverwinterNights\NWN\nwmain.exe"="C:\NeverwinterNights\NWN\nwmain.exe:*:Enabled:Neverwinter Nights"
"C:\Programmi\GameSpy Arcade\Aphex.exe"="C:\Programmi\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Esplora risorse"
"C:\Programmi\Save\Save.exe"="C:\Programmi\Save\Save.exe:*:Disabled:Save!"
"C:\Programmi\Internet Explorer\IEXPLORE.EXE"="C:\Programmi\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\Programmi\Google\Google Earth Pro\GoogleEarth.exe"="C:\Programmi\Google\Google Earth Pro\GoogleEarth.exe:*:Enabled:Google Earth Pro"
"C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Rar$EX02.922\nwserver.exe"="C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Rar$EX02.922\nwserver.exe:*:Enabled:Neverwinter Nights Server"
"C:\Programmi\EA GAMES\Need for Speed Underground 2\speed2.exe"="C:\Programmi\EA GAMES\Need for Speed Underground 2\speed2.exe:*:Enabled:speed2"
"C:\NeverwinterNights\NWN\nwserver.exe"="C:\NeverwinterNights\NWN\nwserver.exe:*:Enabled:Neverwinter Nights Server"
"C:\Programmi\EA Sports\Superbike 2001\SBK2001.exe"="C:\Programmi\EA Sports\Superbike 2001\SBK2001.exe:*:Enabled:SBK2001"
"C:\Programmi\Teamspeak2_RC2\server_windows.exe"="C:\Programmi\Teamspeak2_RC2\server_windows.exe:*:Enabled:Server"
"C:\Programmi\Teamspeak2\server_windows.exe"="C:\Programmi\Teamspeak2\server_windows.exe:*:Enabled:Server"
"C:\Programmi\BitTorrent\btdownloadgui.exe"="C:\Programmi\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Programmi\EA GAMES\Need for Speed Most Wanted\speed.exe"="C:\Programmi\EA GAMES\Need for Speed Most Wanted\speed.exe:*:Enabled:speed"
"C:\Programmi\Activision\Call of Duty 2\CoD2MP_s.exe"="C:\Programmi\Activision\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\Programmi\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd"="C:\Programmi\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd:*:Enabled:Age of Empires II Expansion"
"C:\Programmi\DAP\DAP.exe"="C:\Programmi\DAP\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\Programmi\BitComet\BitComet.exe"="C:\Programmi\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Programmi\Xfire\Xfire.exe"="C:\Programmi\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Programmi\TrackMania Nations ESWC\TmNationsESWC.exe"="C:\Programmi\TrackMania Nations ESWC\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"C:\Documents and Settings\Enrico Fantini\Desktop\RPGONLINE\RPGONLINE\RPGOnline.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\RPGONLINE\RPGONLINE\RPGOnline.exe:*:Enabled:RPGOnline PbC"
"C:\Programmi\Vietcong\vietcong.exe"="C:\Programmi\Vietcong\vietcong.exe:*:Enabled:vietcong"
"C:\Programmi\SHOUTcast\sc_serv.exe"="C:\Programmi\SHOUTcast\sc_serv.exe:*:Enabled:sc_serv"
"C:\Programmi\File comuni\Synacast\SynaLive\PE.exe"="C:\Programmi\File comuni\Synacast\SynaLive\PE.exe:*:Enabled:SynacastPE"
"C:\Programmi\Mediacenter\Mediacenter0.4-by Coolstreaming.exe"="C:\Programmi\Mediacenter\Mediacenter0.4-by Coolstreaming.exe:*:Enabled:Mediacenter"
"C:\Programmi\StreamerOne\streamerone.exe"="C:\Programmi\StreamerOne\streamerone.exe:*:Enabled:streamerone"
"C:\Programmi\Mozilla Firefox\firefox.exe"="C:\Programmi\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Programmi\YVD\n00b-IRC.exe"="C:\Programmi\YVD\n00b-IRC.exe:*:Enabled:n00b-IRC"
"C:\Programmi\YVD\YGO Virtual Desktop V086.exe"="C:\Programmi\YVD\YGO Virtual Desktop V086.exe:*:Enabled:YGO Virtual Desktop Executable"
"C:\Programmi\iTunes\iTunes.exe"="C:\Programmi\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Programmi\BitTorrent\bittorrent.exe"="C:\Programmi\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Programmi\LimeWire\LimeWire.exe"="C:\Programmi\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Programmi\FantasyGrounds\FantasyGrounds.exe"="C:\Programmi\FantasyGrounds\FantasyGrounds.exe:*:Enabled:FantasyGrounds"
"C:\Programmi\VoipStunt\VoipStunt\VoipStunt.exe"="C:\Programmi\VoipStunt\VoipStunt\VoipStunt.exe:*:Enabled:VoipStunt"
"C:\Program Files\Apprentice\Appr.exe"="C:\Program Files\Apprentice\Appr.exe:*:Enabled:Appr"
"C:\Programmi\WarRock\WRLauncher.exe"="C:\Programmi\WarRock\WRLauncher.exe:*:Enabled:WarRock"
"C:\Programmi\uTorrent\utorrent.exe"="C:\Programmi\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Programmi\THQ\Dawn of War\W40k.exe"="C:\Programmi\THQ\Dawn of War\W40k.exe:*:Enabled:W40K"
"C:\Documents and Settings\Enrico Fantini\Desktop\Desctozz\RPGONLINE\RPGONLINE\RPGOnline.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\Desctozz\RPGONLINE\RPGONLINE\RPGOnline.exe:*:Enabled:RPGOnline PbC"
"C:\UT2003\System\UT2003.exe"="C:\UT2003\System\UT2003.exe:*:Disabled:UT2003"
"C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Rar$EX00.422\ut2k3gwbrowser.exe"="C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Rar$EX00.422\ut2k3gwbrowser.exe:*:Disabled:ut2k3gwbrowser"
"C:\Programmi\WinMX\WinMX.exe"="C:\Programmi\WinMX\WinMX.exe:*:Disabled:WinMX Application"
"C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Rar$EX00.877\WinMX.exe"="C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Rar$EX00.877\WinMX.exe:*:Disabled:WinMX Application"
"C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Directory temporanea 2 per winmx354beta4.zip\WinMX.exe"="C:\Documents and Settings\Enrico Fantini\Impostazioni locali\Temp\Directory temporanea 2 per winmx354beta4.zip\WinMX.exe:*:Disabled:WinMX Application"
"C:\Programmi\Atari\Neverwinter Nights 2\nwn2main.exe"="C:\Programmi\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\Programmi\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe"="C:\Programmi\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\Programmi\Atari\Neverwinter Nights 2\nwupdate.exe"="C:\Programmi\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\Programmi\Atari\Neverwinter Nights 2\nwn2server.exe"="C:\Programmi\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"M:\CoD2\CoD2MP_s.exe"="M:\CoD2\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"M:\NeverWinterNights\nwmain.exe"="M:\NeverWinterNights\nwmain.exe:*:Enabled:Neverwinter Nights"
"M:\NeverwinterNights\NWN\nwmain.exe"="M:\NeverwinterNights\NWN\nwmain.exe:*:Enabled:Neverwinter Nights"
"M:\FEAR\FEAR.exe"="M:\FEAR\FEAR.exe:*:Enabled:FEAR"
"C:\Programmi\mIRC\mirc.exe"="C:\Programmi\mIRC\mirc.exe:*:Enabled:mIRC"
"M:\Neverwinter Nights 2\nwn2main.exe"="M:\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"M:\Neverwinter Nights 2\nwn2main_amdxp.exe"="M:\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"M:\Neverwinter Nights 2\nwupdate.exe"="M:\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"M:\Neverwinter Nights 2\nwn2server.exe"="M:\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"M:\RF Online\RF.exe"="M:\RF Online\RF.exe:*:Enabled:RFLauncher"
"C:\WINDOWS\SYSTEM32\RTCSHARE.EXE"="C:\WINDOWS\SYSTEM32\RTCSHARE.EXE:*:Enabled:Condivis. App. RTC"
"C:\Programmi\NetMeeting\CONF.EXE"="C:\Programmi\NetMeeting\CONF.EXE:*:Enabled:Windows® NetMeeting®"
"C:\Programmi\Pando Networks\Pando\pando.exe"="C:\Programmi\Pando Networks\Pando\pando.exe:*:Disabled:pando"
"C:\Programmi\Winamp\winamp.exe"="C:\Programmi\Winamp\winamp.exe:*:Enabled:Winamp"
"M:\ijji\ENGLISH\U_KwonHoOnline\KwonHoClient.exe"="M:\ijji\ENGLISH\U_KwonHoOnline\KwonHoClient.exe:*:Enabled:KwonHo"
"C:\WINDOWS\SYSTEM32\PnkBstrA.exe"="C:\WINDOWS\SYSTEM32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\SYSTEM32\PnkBstrB.exe"="C:\WINDOWS\SYSTEM32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.exe"="C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\Programmi\Morpheus\Morpheus.exe"="C:\Programmi\Morpheus\Morpheus.exe:*:Enabled:Morpheus"
"C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HelpCtr.exe"="C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HelpCtr.exe:*:Enabled:Assistenza remota - Windows Messenger e conversazione"
"C:\Programmi\MessengerDiscovery\MessengerDiscovery Live.exe"="C:\Programmi\MessengerDiscovery\MessengerDiscovery Live.exe:*:Enabled:MessengerDiscovery Live the Windows Live Messenger addon"
"C:\Programmi\Last.fm\LastFM.exe"="C:\Programmi\Last.fm\LastFM.exe:*:Enabled:Last.fm"
"M:\WoWprivato\Apache2\bin\httpd.exe"="M:\WoWprivato\Apache2\bin\httpd.exe:*:Enabled:Apache HTTP Server"
"M:\WoWServer\wamp\Apache2\bin\httpd.exe"="M:\WoWServer\wamp\Apache2\bin\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\ascent1722\Ascent1722\logonserver.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\ascent1722\Ascent1722\logonserver.exe:*:Enabled:logonserver"
"C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Ascent Rev2355\Ascent Rev2355\logonserver.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Ascent Rev2355\Ascent Rev2355\logonserver.exe:*:Enabled:logonserver"
"C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Rev2902\Rev2902\logonserver.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Rev2902\Rev2902\logonserver.exe:*:Enabled:logonserver"
"C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\AC WEB REPACK 7.4\Ascent\logonserver.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\AC WEB REPACK 7.4\Ascent\logonserver.exe:*:Enabled:logonserver"
"C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\AC WEB REPACK 7.4\Ascent\ascent.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\AC WEB REPACK 7.4\Ascent\ascent.exe:*:Enabled:ascent"
"C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Ascent3361\Ascent 3361\logonserver.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Ascent3361\Ascent 3361\logonserver.exe:*:Enabled:logonserver"
"C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Ascent3361\Ascent 3361\voicechat.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\WoWprivato\Ascent3361\Ascent 3361\voicechat.exe:*:Enabled:voicechat"
"C:\Documents and Settings\Enrico Fantini\Desktop\Wowbis\Ascent v2.3.0 Repack [COMPLETE]\logonserver.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\Wowbis\Ascent v2.3.0 Repack [COMPLETE]\logonserver.exe:*:Enabled:logonserver"
"C:\Documents and Settings\Enrico Fantini\Desktop\Wowbis\Ascent v2.3.0 Repack [COMPLETE]\ascent.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\Wowbis\Ascent v2.3.0 Repack [COMPLETE]\ascent.exe:*:Enabled:ascent"
"C:\Programmi\Shareaza\Shareaza.exe"="C:\Programmi\Shareaza\Shareaza.exe:*:Enabled:Shareaza"
"C:\Programmi\World of Warcraft\BackgroundDownloader.exe"="C:\Programmi\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"M:\Assassin's Creed\AssassinsCreed_Dx9.exe"="M:\Assassin's Creed\AssassinsCreed_Dx9.exe:*:Enabled:Assassin's Creed Dx9"
"M:\Assassin's Creed\AssassinsCreed_Dx10.exe"="M:\Assassin's Creed\AssassinsCreed_Dx10.exe:*:Enabled:Assassin's Creed Dx10"
"M:\Assassin's Creed\AssassinsCreed_Launcher.exe"="M:\Assassin's Creed\AssassinsCreed_Launcher.exe:*:Enabled:Assassin's Creed Update"
"C:\Programmi\TmNationsForever\TmForever.exe"="C:\Programmi\TmNationsForever\TmForever.exe:*:Enabled:TmForever"
"C:\Programmi\Shareaza Applications\Shareaza\Shareaza.exe"="C:\Programmi\Shareaza Applications\Shareaza\Shareaza.exe:*:Enabled:Shareaza"
"M:\Call of Duty 2\CoD2MP_s.exe"="M:\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\Programmi\The All-Seeing Eye\eye.exe"="C:\Programmi\The All-Seeing Eye\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:FTP - fájlátviteli program"
"C:\Documents and Settings\Enrico Fantini\Desktop\eMulev0.49a.-MorphXTv11.0-bin\emule\eMule.exe"="C:\Documents and Settings\Enrico Fantini\Desktop\eMulev0.49a.-MorphXTv11.0-bin\emule\eMule.exe:*:Enabled:eMule"
"C:\Programmi\eMule\emule.exe"="C:\Programmi\eMule\emule.exe:*:Enabled:eMule Plus"
"C:\Programmi\SecondLife\SLVoice.exe"="C:\Programmi\SecondLife\SLVoice.exe:*:Enabled:SLVoice"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\NCsoft\Exteel (US)\System\Exteel.exe"="C:\Programmi\NCsoft\Exteel (US)\System\Exteel.exe:*:Enabled:Exteel"
"C:\Programmi\Windows Live\Messenger\msnmsgr.exe"="C:\Programmi\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Programmi\Windows Live\Messenger\livecall.exe"="C:\Programmi\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2008-11-01 11:59:42 ----D---- C:\rsit
2008-11-01 11:27:00 ----A---- C:\WINDOWS\gmer.ini
2008-11-01 11:26:59 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-01 11:26:59 ----A---- C:\WINDOWS\gmer.exe
2008-11-01 11:26:59 ----A---- C:\WINDOWS\gmer.dll
2008-11-01 10:57:25 ----D---- C:\Programmi\Unlocker
2008-11-01 10:55:11 ----D---- C:\Programmi\FileASSASSIN
2008-10-29 13:35:39 ----D---- C:\Documents and Settings\All Users\Dati applicazioni\Office Genuine Advantage
2008-10-24 22:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-18 18:43:16 ----A---- C:\WINDOWS\system32\cewmd.dll
2008-10-18 17:21:18 ----D---- C:\Programmi\HijackThis
2008-10-15 21:40:14 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 21:40:06 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 21:39:57 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 21:39:47 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 21:39:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-15 21:39:10 ----A---- C:\WINDOWS\system32\MRT.INI
2008-10-15 21:36:30 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-10-14 13:43:23 ----A---- C:\WINDOWS\system32\WinCtrl32.dll
2008-10-09 16:09:39 ----D---- C:\Programmi\World of Warcraft Public Test
2008-10-09 16:00:55 ----D---- C:\Documents and Settings\All Users\Dati applicazioni\Blizzard
2008-10-09 01:47:12 ----A---- C:\WINDOWS\system32\xfcodec.dll
2008-10-03 21:52:49 ----D---- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-10-03 21:49:40 ----D---- C:\WINDOWS\SQL9_KB948109_ENU
2008-10-02 21:50:47 ----D---- C:\Programmi\Microsoft CAPICOM 2.1.0.2
2008-10-02 13:11:55 ----A---- C:\WINDOWS\system32\muweb.dll
2008-10-02 13:11:55 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-02 13:11:55 ----A---- C:\WINDOWS\system32\mucltui.dll

======List of files/folders modified in the last 1 months======

2008-11-01 11:27:11 ----D---- C:\WINDOWS\system32\DRIVERS
2008-11-01 11:27:00 ----D---- C:\WINDOWS
2008-11-01 11:19:07 ----D---- C:\WINDOWS\Prefetch
2008-11-01 11:11:21 ----SHD---- C:\WINDOWS\SYSTEM32
2008-11-01 11:11:21 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-01 11:09:58 ----D---- C:\Programmi\Mozilla Firefox
2008-11-01 11:08:21 ----RD---- C:\WINDOWS\Temp
2008-11-01 11:05:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-01 10:57:25 ----D---- C:\Programmi
2008-11-01 10:41:36 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2008-11-01 10:41:26 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-01 10:30:01 ----D---- C:\Programmi\eMule
2008-10-28 22:56:22 ----SHD---- C:\WINDOWS\Installer
2008-10-28 22:56:22 ----SHD---- C:\Config.Msi
2008-10-27 17:00:08 ----D---- C:\Documents and Settings\Enrico Fantini\Dati applicazioni\uTorrent
2008-10-26 21:02:06 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-24 22:05:19 ----HD---- C:\WINDOWS\INF
2008-10-24 22:04:22 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-23 10:19:56 ----SD---- C:\Programmi\Xfire
2008-10-22 18:42:58 ----D---- C:\Documents and Settings\Enrico Fantini\Dati applicazioni\Xfire
2008-10-22 13:10:31 ----D---- C:\Programmi\World of Warcraft
2008-10-22 12:36:53 ----SHD---- C:\System Volume Information
2008-10-22 12:36:53 ----D---- C:\WINDOWS\system32\Restore
2008-10-20 20:30:24 ----D---- C:\WINDOWS\system32\CONFIG
2008-10-18 17:00:46 ----D---- C:\Program Files
2008-10-17 13:05:30 ----D---- C:\Documents and Settings\Enrico Fantini\Dati applicazioni\Skype
2008-10-15 21:40:19 ----A---- C:\WINDOWS\imsins.BAK
2008-10-15 21:36:41 ----D---- C:\Programmi\Internet Explorer
2008-10-15 17:57:30 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-15 12:56:22 ----D---- C:\Programmi\NCSoft
2008-10-13 1537 ----RSD---- C:\WINDOWS\Fonts
2008-10-13 13:51:30 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2008-10-13 13:48:18 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2008-10-09 16:58:11 ----D---- C:\Programmi\File comuni\Blizzard Entertainment
2008-10-09 16:03:36 ----D---- C:\Programmi\ThriXXX
2008-10-07 20:35:04 ----D---- C:\Documents and Settings\Enrico Fantini\Dati applicazioni\teamspeak2
2008-10-07 20:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-05 17:56:55 ----A---- C:\WINDOWS\WIN.INI
2008-10-03 21:53:06 ----D---- C:\Programmi\Microsoft SQL Server
2008-10-03 21:52:58 ----D---- C:\WINDOWS\Registration
2008-10-03 12:45:31 ----D---- C:\WINDOWS\Microsoft.NET
2008-10-03 12:45:30 ----RSD---- C:\WINDOWS\ASSEMBLY
2008-10-02 13:28:26 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-10-02 13:28:26 ----D---- C:\WINDOWS\system32\CatRoot

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ikhfile;File Security Kernel Anti-Spyware Driver; C:\WINDOWS\system32\drivers\ikhfile.sys [2006-07-10 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver; C:\WINDOWS\system32\drivers\ikhlayer.sys [2006-08-24 51072]
R1 intelppm;Driver processore Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-19 40192]
R1 kbdhid;Driver di tastiera HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-19 14848]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-11-23 40480]
R2 NAVAPEL;NAVAPEL; \??\C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-12-06 25883]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-12-06 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-12-06 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-12-06 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-12-06 86586]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-12-06 15227]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-12-06 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-12-06 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-12-06 100603]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-07-04 3230720]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2003-09-26 44032]
R3 dtscsi;dtscsi; C:\WINDOWS\System32\Drivers\dtscsi.sys [2005-12-03 223128]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2005-02-02 14408]
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2004-06-08 24637]
R3 LHidUsbK;Logitech SetPoint USB Receiver Device Driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2004-06-08 38081]
R3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2004-06-08 71533]
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter; C:\WINDOWS\System32\Drivers\LUsbKbd.Sys [2004-06-08 14975]
R3 mouhid;Driver di mouse HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-30 12160]
R3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\20081031.007\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\20081031.007\NAVEX15.sys []
R3 RXG350XP;Roper 802.11g XG350 Driver; C:\WINDOWS\system32\DRIVERS\WlanCTG.sys [2005-05-26 481664]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 SymEvent;SymEvent; \??\C:\Programmi\Symantec\SYMEVENT.SYS []
R3 usbccgp;Driver principale generico USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Driver Miniport controller enhanced host USB 2.0 Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-19 26624]
R3 usbhub;Driver hub USB standard Microsoft; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;Driver archiviazione di massa USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Driver Miniport Controller Universal Host USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 Winaw10;Winaw10; \??\C:\WINDOWS\System32\drivers\Winaw10.sys []
S1 oreans32;oreans32; []
S1 SpyEmrg;Spy Emergency Driver; C:\WINDOWS\System32\Drivers\spyemrg.sys []
S2 zntport;NTPort Library Driver; \??\C:\WINDOWS\system32\zntport.sys []
S3 adxapie;adxapie; \??\C:\DOCUME~1\ENRICO~1\IMPOST~1\Temp\adxapie.sys []
S3 CCDECODE;Decoder sottotitoli codificati; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 E100B;Driver scheda Intel(R) PRO; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-30 117760]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-01 85969]
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2005-10-30 10345]
S3 HidUsb;Driver di classe HID Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 MSTEE;Convertitore a T/Sito a sito per flusso Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Connesione TV/Video Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nm;Driver di Network Monitor; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-19 40320]
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-05-29 8704]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-05-29 13312]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-05-29 127488]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-05-29 13312]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 42000]
S3 npkcrypt;npkcrypt; \??\M:\Lineage II\system\npkcrypt.sys []
S3 npkcusb;npkcusb; \??\M:\Lineage II\system\npkcusb.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 snpstd;Trust 150 Spacecam Portable; C:\WINDOWS\system32\DRIVERS\snpstd.sys [2004-05-17 302720]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbaudio;Driver audio USB (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbprint;Classe stampanti USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 Winac71;Winac71; \??\C:\WINDOWS\System32\drivers\Winac71.sys []
S3 Winbv25;Winbv25; \??\C:\WINDOWS\System32\drivers\Winbv25.sys []
S3 Wincp30;Wincp30; \??\C:\WINDOWS\System32\drivers\Wincp30.sys []
S3 Winev41;Winev41; \??\C:\WINDOWS\System32\drivers\Winev41.sys []
S3 Winfi22;Winfi22; \??\C:\WINDOWS\System32\drivers\Winfi22.sys []
S3 Winfw16;Winfw16; \??\C:\WINDOWS\System32\drivers\Winfw16.sys []
S3 Wingl60;Wingl60; \??\C:\WINDOWS\System32\drivers\Wingl60.sys []
S3 Winin31;Winin31; \??\C:\WINDOWS\System32\drivers\Winin31.sys []
S3 Winka47;Winka47; \??\C:\WINDOWS\System32\drivers\Winka47.sys []
S3 Winka81;Winka81; \??\C:\WINDOWS\System32\drivers\Winka81.sys []
S3 Winkd12;Winkd12; \??\C:\WINDOWS\System32\drivers\Winkd12.sys []
S3 Winkm50;Winkm50; \??\C:\WINDOWS\System32\drivers\Winkm50.sys []
S3 Winll36;Winll36; \??\C:\WINDOWS\System32\drivers\Winll36.sys []
S3 Winmc18;Winmc18; \??\C:\WINDOWS\System32\drivers\Winmc18.sys []
S3 Winmj70;Winmj70; \??\C:\WINDOWS\System32\drivers\Winmj70.sys []
S3 Winnd42;Winnd42; \??\C:\WINDOWS\System32\drivers\Winnd42.sys []
S3 Winoj67;Winoj67; \??\C:\WINDOWS\System32\drivers\Winoj67.sys []
S3 Winpa76;Winpa76; \??\C:\WINDOWS\System32\drivers\Winpa76.sys []
S3 Winpf74;Winpf74; \??\C:\WINDOWS\System32\drivers\Winpf74.sys []
S3 Winsk41;Winsk41; \??\C:\WINDOWS\System32\drivers\Winsk41.sys []
S3 Winsl22;Winsl22; \??\C:\WINDOWS\System32\drivers\Winsl22.sys []
S3 Winuc41;Winuc41; \??\C:\WINDOWS\System32\drivers\Winuc41.sys []
S3 Winuf68;Winuf68; \??\C:\WINDOWS\System32\drivers\Winuf68.sys []
S3 Winus47;Winus47; \??\C:\WINDOWS\System32\drivers\Winus47.sys []
S3 Winye65;Winye65; \??\C:\WINDOWS\System32\drivers\Winye65.sys []
S3 WSTCODEC;Codec World Standard Teletext; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 mchInjDrv;mchInjDrv; \??\C:\WINDOWS\TEMP\mc2B.tmp []
S4 WS2IFSL;Ambiente di supporto del provider del Servizio Non-IFS di Windows Socket 2.0; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-19 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe [2008-07-09 611664]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-07-04 561152]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032]
R2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [2004-11-13 32884]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-03-04 311296]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); C:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [2004-11-13 688250]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-10-13 66872]
R2 SDhelper;PC Tools Spyware Doctor; C:\Programmi\Spyware Doctor\sdhelp.exe [2006-11-02 895088]
R2 SQLBrowser;SQL Server Browser; C:\Programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
R2 SQLWriter;SQL Server VSS Writer; C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R3 iPodService;iPodService; C:\Programmi\iPod\bin\iPodService.exe [2005-12-20 323584]
R3 ServiceLayer;ServiceLayer; C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe [2006-06-05 174080]
S2 ATI Smart;ATI Smart; C:\WINDOWS\SYSTEM32\ati2sgag.exe [2008-07-03 593920]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-19 268288]
S3 Adobe LM Service;Adobe LM Service; C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-11-19 72704]
S3 aspnet_state;Servizio stato di ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Programmi\WinPcap\rpcapd.exe [2007-01-25 93048]
S3 usnjsvc;Servizio Messenger Sharing Folders USN Journal Reader; C:\Programmi\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-19 14336]
S3 wampapache;wampapache; M:\WoWServer\wamp\apache2\bin\httpd.exe [2007-09-05 24635]
S3 wampmysqld;wampmysqld; M:\WoWServer\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 5730304]
S3 WLSetupSvc;Windows Live Setup Service; C:\Programmi\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Servizio di condivisione in rete Windows Media Player; C:\Programmi\Windows Media Player\WMPNetwk.exe [2006-11-02 918528]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-19 14336]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Programmi\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]

-----------------EOF-----------------
Attached Files
File Type: txt info.txt (39.9 KB, 1 views)
File Type: txt Gmer.txt (121.7 KB, 4 views)
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 11-03-2008, 08:33 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

  8. Open HijackThis (C:\Programmi\HijackThis\HijackThis.exe) and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-04-2008, 05:57 AM   #3 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


Re: File cannot be deleted: cewmd.dll
Here you are, I followed your instructions step by step and I encountered no issues. Thanks for the nice and complete reply.

EDIT: when I re-enabled my antivirus, it popped a pair of notifications of virus found, like these:

C:\System Volume Information\_restore{78F7728A-B778-4E4E-B6F1-DA889AE06910}\RP998\A0283479.exe
C:\System Volume Information\_restore{78F7728A-B778-4E4E-B6F1-DA889AE06910}\RP998\A0283469.sys

I don't know if the cewmd.dll and these are linked...

First the log from ComboFix and after the Hijackthis log.

ComboFix 08-11-03.04 - Enrico Fantini 2008-11-04 14:16:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1417 [GMT 1:00]
Eseguito da: c:\documents and settings\Enrico Fantini\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Enrico Fantini\Impostazioni locali\Temporary Internet Files\ijjistarter2FxB.exe
c:\programmi\msupdate
c:\programmi\msupdate\a.zip
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\system32\blphcghqj0er1l.scr
c:\windows\system32\bszip.dll
c:\windows\SYSTEM32\DRIVERS\31.exe
c:\windows\SYSTEM32\DRIVERS\437.exe
c:\windows\SYSTEM32\DRIVERS\453.exe
c:\windows\SYSTEM32\DRIVERS\718.exe
c:\windows\SYSTEM32\DRIVERS\828.exe
c:\windows\system32\drivers\Winaw10.sys
c:\windows\system32\drivers\Windi33.sys
c:\windows\System32\drivers\Winkp05.sys
c:\windows\system32\drivers\Winlj36.sys
c:\windows\system32\drivers\Winyh62.sys
c:\windows\system32\MSINET.oca
c:\windows\system32\P2P Networking v126.cpl
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\cewmd.dll . . . . Eliminazione Fallita

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Legacy_WINAW10
-------\Legacy_WINDI33
-------\Legacy_WINKP05
-------\Legacy_WINLJ36
-------\Legacy_WINYH62
-------\Service_NPF
-------\Service_oreans32
-------\Service_Winaw10
-------\Service_Windi33
-------\Service_Winkp05
-------\Service_Winlj36
-------\Service_Winyh62


((((((((((((((((((((((((( Files Creati Da 2008-10-04 al 2008-11-04 )))))))))))))))))))))))))))))))))))
.

2008-11-02 00:50 . 2008-11-02 00:50 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-02 00:50 . 2008-11-02 00:50 1,409 --a------ c:\windows\QTFont.for
2008-11-01 11:59 . 2008-11-01 11:59 <DIR> d-------- C:\rsit
2008-11-01 11:27 . 2008-11-01 11:27 250 --a------ c:\windows\gmer.ini
2008-11-01 10:57 . 2008-11-01 11:08 <DIR> d-------- c:\programmi\Unlocker
2008-11-01 10:55 . 2008-11-01 10:57 <DIR> d-------- c:\programmi\FileASSASSIN
2008-10-29 13:35 . 2008-10-29 13:35 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage
2008-10-22 12:32 . 18,688 c:\windows\SYSTEM32\DRIVERS\jgjdfuls.dat
2008-10-22 12:32 . 5,120 c:\windows\SYSTEM32\DRIVERS\mcxtjued.dat
2008-10-18 18:43 . 2006-10-18 21:47 93,184 --a------ c:\windows\SYSTEM32\cewmd.dll
2008-10-15 21:39 . 2008-10-15 21:39 208 --a------ c:\windows\SYSTEM32\MRT.INI
2008-10-09 16:09 . 2008-10-09 19:38 <DIR> d-------- c:\programmi\World of Warcraft Public Test
2008-10-09 16:00 . 2008-10-09 16:00 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Blizzard
2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ c:\windows\SYSTEM32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 09:30 --------- d-----w c:\programmi\eMule
2008-10-27 16:00 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\uTorrent
2008-10-23 09:19 --------- d-s---w c:\programmi\Xfire
2008-10-22 17:42 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Xfire
2008-10-22 12:10 --------- d-----w c:\programmi\World of Warcraft
2008-10-17 12:05 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Skype
2008-10-15 20:37 0 ----a-w c:\windows\system32\drivers\Winye65.sys
2008-10-15 20:37 0 ----a-w c:\windows\system32\drivers\Winro43.sys
2008-10-15 11:56 --------- d-----w c:\programmi\NCSoft
2008-10-13 12:51 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-09 15:58 --------- d-----w c:\programmi\File comuni\Blizzard Entertainment
2008-10-09 15:03 --------- d-----w c:\programmi\ThriXXX
2008-10-07 19:35 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\teamspeak2
2008-10-03 20:53 --------- d-----w c:\programmi\Microsoft SQL Server
2008-10-02 20:50 --------- d-----w c:\programmi\Microsoft CAPICOM 2.1.0.2
2008-10-01 13:55 --------- d-----w c:\programmi\MessengerDiscovery
2008-10-01 13:48 --------- d-----w c:\programmi\Messenger Plus! Live
2008-10-01 13:48 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2008-10-01 13:44 --------- d-----w c:\programmi\MSN Messenger
2008-10-01 12:59 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-10-01 12:57 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-10-01 12:44 --------- d-----w c:\programmi\Windows Live
2008-10-01 12:13 --------- d-----w c:\programmi\StuffPlug3
2008-09-28 14:08 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-09-28 14:07 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\GetRightToGo
2008-09-21 09:41 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\SecondLife
2008-09-18 11:56 --------- d-----w c:\programmi\Microsoft LifeChat
2008-09-09 10:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\ATI
2008-09-09 10:21 --------- d-----w c:\programmi\ATI Technologies
2008-09-09 08:59 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\atitray
2008-09-07 22:29 --------- d-----w c:\programmi\SystemRequirementsLab
2007-09-11 22:19 22,328 ----a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\PnkBstrK.sys
2006-05-29 15:39 36,816 -c--a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\GDIPFONTCACHEV1.DAT
2005-06-19 09:04 32 -c--a-r c:\documents and settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E00AB23-3C82-4C02-B18F-40F44636EE49}]
2006-10-18 21:47 93184 --a------ c:\windows\system32\cewmd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DMXLauncher"="c:\programmi\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools"="c:\programmi\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"snpstd"="c:\windows\vsnpstd.exe" [2004-05-10 286720]
"WinampAgent"="c:\programmi\Winamp\winampa.exe" [2007-05-14 35328]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LifeChat"="c:\programmi\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-07-29 155648]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
"Spyware Doctor"="c:\programmi\Spyware Doctor\swdoctor.exe" [2007-03-28 2115728]

c:\documents and settings\Enrico Fantini\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-12 113664]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Logitech SetPoint.lnk - c:\programmi\Logitech\SetPoint\KEM.exe [2005-10-22 581632]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winac71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbv25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincp30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windg73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winev41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfi22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfw16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl60.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winin31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka81.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkd12.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkm50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winll36.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmc18.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmj70.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnd42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winoj67.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpa76.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpf74.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsk41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsl22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuf68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winus47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye65.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Programmi\\GameSpy Arcade\\Aphex.exe"=
"c:\\Programmi\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"c:\\Programmi\\Xfire\\Xfire.exe"=
"c:\\Programmi\\SHOUTcast\\sc_serv.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\YVD\\n00b-IRC.exe"=
"c:\\Programmi\\YVD\\YGO Virtual Desktop V086.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\FantasyGrounds\\FantasyGrounds.exe"=
"c:\\Programmi\\VoipStunt\\VoipStunt\\VoipStunt.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Programmi\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\Desctozz\\RPGONLINE\\RPGONLINE\\RPGOnline.exe"=
"m:\\NeverwinterNights\\NWN\\nwmain.exe"=
"m:\\FEAR\\FEAR.exe"=
"c:\\Programmi\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"=
"c:\\Programmi\\NetMeeting\\CONF.EXE"=
"c:\\Programmi\\Winamp\\winamp.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Programmi\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"c:\\Programmi\\Last.fm\\LastFM.exe"=
"m:\\WoWServer\\wamp\\Apache2\\bin\\httpd.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\ascent1722\\Ascent1722\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent Rev2355\\Ascent Rev2355\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Rev2902\\Rev2902\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\ascent.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\voicechat.exe"=
"c:\\Programmi\\World of Warcraft\\BackgroundDownloader.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Programmi\\TmNationsForever\\TmForever.exe"=
"c:\\Programmi\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"m:\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Programmi\\The All-Seeing Eye\\eye.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\World of Warcraft\\WoW-2.4.3.8568-to-3.0.2.8916-enGB-downloader.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2350:TCP"= 2350:TCP:TMNations1
"3450:TCP"= 3450:TCP:TMNations2
"2350:UDP"= 2350:UDP:TMNationsUDP1
"3450:UDP"= 3450:UDP:TMNationsUDP2
"6370:TCP"= 6370:TCP:*:Disabled:ppLive
"7251:UDP"= 7251:UDP:*:Disabled:ppLive
"3204:TCP"= 3204:TCP:*:Disabled:ppLive
"2588:UDP"= 2588:UDP:*:Disabled:ppLive
"7624:TCP"= 7624:TCP:*:Disabled:ppLive
"4565:UDP"= 4565:UDP:*:Disabled:ppLive
"5340:TCP"= 5340:TCP:WarRockTCP
"5350:UDP"= 5350:UDP:WarRockUDP
"8000:TCP"= 8000:TCP:Winamp
"8000:UDP"= 8000:UDP:Winamp
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 knpmuykl;knpmuykl;c:\windows\system32\drivers\jgjdfuls.dat [ ]
R3 RXG350XP;Roper 802.11g XG350 Driver;c:\windows\system32\DRIVERS\WlanCTG.sys [2005-05-26 481664]
S0 Windg73;Windg73;c:\windows\system32\Drivers\Windg73.sys [ ]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\Drivers\spyemrg.sys [ ]
S3 adxapie;adxapie;c:\docume~1\ENRICO~1\IMPOST~1\Temp\adxapie.sys [ ]
S3 wampapache;wampapache;m:\wowserver\wamp\apache2\bin\httpd.exe [2007-09-05 24635]
S3 wampmysqld;wampmysqld;m:\wowserver\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 5730304]
S3 Winac71;Winac71;c:\windows\System32\drivers\Winac71.sys [ ]
S3 Winbv25;Winbv25;c:\windows\System32\drivers\Winbv25.sys [ ]
S3 Wincp30;Wincp30;c:\windows\System32\drivers\Wincp30.sys [ ]
S3 Winev41;Winev41;c:\windows\System32\drivers\Winev41.sys [ ]
S3 Winfi22;Winfi22;c:\windows\System32\drivers\Winfi22.sys [ ]
S3 Winfw16;Winfw16;c:\windows\System32\drivers\Winfw16.sys [ ]
S3 Wingl60;Wingl60;c:\windows\System32\drivers\Wingl60.sys [ ]
S3 Winin31;Winin31;c:\windows\System32\drivers\Winin31.sys [ ]
S3 Winka47;Winka47;c:\windows\System32\drivers\Winka47.sys [ ]
S3 Winka81;Winka81;c:\windows\System32\drivers\Winka81.sys [ ]
S3 Winkd12;Winkd12;c:\windows\System32\drivers\Winkd12.sys [ ]
S3 Winkm50;Winkm50;c:\windows\System32\drivers\Winkm50.sys [ ]
S3 Winll36;Winll36;c:\windows\System32\drivers\Winll36.sys [ ]
S3 Winmc18;Winmc18;c:\windows\System32\drivers\Winmc18.sys [ ]
S3 Winmj70;Winmj70;c:\windows\System32\drivers\Winmj70.sys [ ]
S3 Winnd42;Winnd42;c:\windows\System32\drivers\Winnd42.sys [ ]
S3 Winoj67;Winoj67;c:\windows\System32\drivers\Winoj67.sys [ ]
S3 Winpa76;Winpa76;c:\windows\System32\drivers\Winpa76.sys [ ]
S3 Winpf74;Winpf74;c:\windows\System32\drivers\Winpf74.sys [ ]
S3 Winsk41;Winsk41;c:\windows\System32\drivers\Winsk41.sys [ ]
S3 Winsl22;Winsl22;c:\windows\System32\drivers\Winsl22.sys [ ]
S3 Winuc41;Winuc41;c:\windows\System32\drivers\Winuc41.sys [ ]
S3 Winuf68;Winuf68;c:\windows\System32\drivers\Winuf68.sys [ ]
S3 Winus47;Winus47;c:\windows\System32\drivers\Winus47.sys [ ]
S3 Winye65;Winye65;c:\windows\System32\drivers\Winye65.sys [2008-10-15 0]
.
Contenuto della cartella 'Scheduled Tasks'

2008-09-18 c:\windows\Tasks\LifeChatTask.job
- c:\programmi\Microsoft LifeChat\LifeChat.exe [2008-08-21 10:16]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-BitTorrent - c:\programmi\BitTorrent\bittorrent.exe
HKLM-Run-DVDLauncher - c:\programmi\CyberLink\PowerDVD\DVDLauncher.exe
HKLM-Run-LogonStudio - c:\programmi\WinCustomize\LogonStudio\logonstudio.exe
HKLM-Run-lphcghqj0er1l - c:\windows\system32\lphcghqj0er1l.exe
Notify-AutorunsDisabled - c:\windows\system32\NavLogon.dll c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll wingdm32.dll
SafeBoot-Winkp05.sys
SafeBoot-Winro43.sys


.
------- Supplementare di scansione -------
.
FireFox -: Profile - c:\documents and settings\Enrico Fantini\Dati applicazioni\Mozilla\Firefox\Profiles\66luhjkg.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT396646&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.it/
FF -: plugin - c:\programmi\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 14:27:18
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\docume~1\ENRICO~1\IMPOST~1\Temp\tzk9.tmp 797 bytes

Scansione completata con successo
Files nascosti: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\knpmuykl]
"ImagePath"="system32\drivers\jgjdfuls.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: c:\windows\explorer.exe
-> c:\programmi\Unlocker\UnlockerHook.dll
-> c:\programmi\Logitech\SetPoint\lgscroll.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\programmi\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\programmi\Spyware Doctor\sdhelp.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\programmi\iPod\bin\iPodService.exe
c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
c:\programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\SYSTEM32\WGATray.exe
c:\programmi\Logitech\SetPoint\KHALMNPR.exe
c:\programmi\File comuni\PCSuite\Services\ServiceLayer.exe
c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\programmi\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Ora fine scansione: 2008-11-04 14:53:27 - macchina è stato riavviato [Enrico Fantini]
ComboFix-quarantined-files.txt 2008-11-04 13:53:19

Pre-Run: 20,935,532,544 byte disponibili
Post-Run: 21,546,213,376 byte disponibili

369 --- E O F --- 2008-11-03 21:50:04







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.55.28, on 04/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Microsoft LifeChat\LifeChat.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Programmi\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E00AB23-3C82-4C02-B18F-40F44636EE49} - C:\WINDOWS\system32\cewmd.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programmi\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LifeChat] "C:\Programmi\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: wampapache - Apache Software Foundation - M:\WoWServer\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - M:\WoWServer\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 10802 bytes
Last edited by Fantuccio; 11-04-2008 at 06:23 AM.
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-04-2008, 07:38 AM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache in a little while, after our work is complete.

Next steps.....

Is this intentionally set as your IE Start Page?

http://www.finderg.com

Also, are the about:blank settings in IE placed there by you?

=============================

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/308373-file-cannot-deleted-cewmd-dll.html#post1786823

    Driver::
    knpmuykl
    Windg73
    adxapie
    Winac71
    Winbv25
    Wincp30
    Winev41
    Winfi22
    Winfw16
    Wingl60
    Winin31
    Winka47
    Winka81
    Winkd12
    Winkm50
    Winll36
    Winmc18
    Winmj70
    Winnd42
    Winoj67
    Winpa76
    Winpf74
    Winsk41
    Winsl22
    Winuc41
    Winuf68
    Winus47
    Winye65


    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winac71.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbv25.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincp30.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windg73.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winev41.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfi22.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfw16.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl60.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winin31.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka47.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winka81.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkd12.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkm50.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winll36.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmc18.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmj70.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnd42.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winoj67.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpa76.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpf74.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsk41.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsl22.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc41.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuf68.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winus47.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye65.sys]

    Collect::
    c:\windows\SYSTEM32\DRIVERS\jgjdfuls.dat
    c:\windows\SYSTEM32\DRIVERS\mcxtjued.dat
    c:\windows\SYSTEM32\cewmd.dll
    c:\windows\system32\drivers\Winye65.sys
    c:\windows\system32\drivers\Winro43.sys
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------
  6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
Last edited by tetonbob; 11-04-2008 at 07:41 AM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-04-2008, 11:51 AM   #5 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


Re: File cannot be deleted: cewmd.dll
I've got Firefox at the moment and I stopped using IE long time ago, but I'm sure that finderg and about:blank pages aren't placed there by me.

Here are the logs:

ComboFix 08-11-03.04 - Enrico Fantini 2008-11-04 20.14.11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1430 [GMT 1:00]
Eseguito da: c:\documents and settings\Enrico Fantini\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\Enrico Fantini\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
.
Os seguintes ficheiros foram desabilitados durante a rodagem:
c:\programmi\Spyware Doctor\tools\swpg.dat


((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\cewmd.dll
c:\windows\SYSTEM32\DRIVERS\jgjdfuls.dat
c:\windows\SYSTEM32\DRIVERS\mcxtjued.dat
c:\windows\system32\drivers\Winro43.sys
c:\windows\system32\drivers\Winye65.sys

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADXAPIE
-------\Legacy_KNPMUYKL
-------\Legacy_WINAC71
-------\Legacy_WINBV25
-------\Legacy_WINCP30
-------\Legacy_WINEV41
-------\Legacy_WINFI22
-------\Legacy_WINFW16
-------\Legacy_WINGL60
-------\Legacy_WININ31
-------\Legacy_WINKA47
-------\Legacy_WINKA81
-------\Legacy_WINKD12
-------\Legacy_WINKM50
-------\Legacy_WINMC18
-------\Legacy_WINMJ70
-------\Legacy_WINPA76
-------\Legacy_WINPF74
-------\Legacy_WINSK41
-------\Legacy_WINSL22
-------\Legacy_WINUC41
-------\Legacy_WINUF68
-------\Legacy_WINUS47
-------\Legacy_WINYE65
-------\Service_adxapie
-------\Service_knpmuykl
-------\Service_Winac71
-------\Service_Winbv25
-------\Service_Wincp30
-------\Service_Windg73
-------\Service_Winev41
-------\Service_Winfi22
-------\Service_Winfw16
-------\Service_Wingl60
-------\Service_Winin31
-------\Service_Winka47
-------\Service_Winka81
-------\Service_Winkd12
-------\Service_Winkm50
-------\Service_Winll36
-------\Service_Winmc18
-------\Service_Winmj70
-------\Service_Winnd42
-------\Service_Winoj67
-------\Service_Winpa76
-------\Service_Winpf74
-------\Service_Winsk41
-------\Service_Winsl22
-------\Service_Winuc41
-------\Service_Winuf68
-------\Service_Winus47
-------\Service_Winye65


((((((((((((((((((((((((( Files Creati Da 2008-10-04 al 2008-11-04 )))))))))))))))))))))))))))))))))))
.

2008-11-02 00:50 . 2008-11-02 00:50 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-02 00:50 . 2008-11-02 00:50 1,409 --a------ c:\windows\QTFont.for
2008-11-01 11:59 . 2008-11-01 11:59 <DIR> d-------- C:\rsit
2008-11-01 11:27 . 2008-11-01 11:27 250 --a------ c:\windows\gmer.ini
2008-11-01 10:57 . 2008-11-01 11:08 <DIR> d-------- c:\programmi\Unlocker
2008-11-01 10:55 . 2008-11-01 10:57 <DIR> d-------- c:\programmi\FileASSASSIN
2008-10-29 13:35 . 2008-10-29 13:35 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage
2008-10-15 21:39 . 2008-10-15 21:39 208 --a------ c:\windows\SYSTEM32\MRT.INI
2008-10-09 16:09 . 2008-10-09 19:38 <DIR> d-------- c:\programmi\World of Warcraft Public Test
2008-10-09 16:00 . 2008-10-09 16:00 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Blizzard
2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ c:\windows\SYSTEM32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 09:30 --------- d-----w c:\programmi\eMule
2008-10-27 16:00 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\uTorrent
2008-10-23 09:19 --------- d-s---w c:\programmi\Xfire
2008-10-22 17:42 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Xfire
2008-10-22 12:10 --------- d-----w c:\programmi\World of Warcraft
2008-10-17 12:05 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\Skype
2008-10-15 11:56 --------- d-----w c:\programmi\NCSoft
2008-10-13 12:51 182,928 ----a-w c:\windows\SYSTEM32\PnkBstrB.exe
2008-10-13 12:51 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-13 12:48 66,872 ----a-w c:\windows\SYSTEM32\PnkBstrA.exe
2008-10-09 15:58 --------- d-----w c:\programmi\File comuni\Blizzard Entertainment
2008-10-09 15:03 --------- d-----w c:\programmi\ThriXXX
2008-10-07 19:35 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\teamspeak2
2008-10-03 20:53 --------- d-----w c:\programmi\Microsoft SQL Server
2008-10-02 20:50 --------- d-----w c:\programmi\Microsoft CAPICOM 2.1.0.2
2008-10-01 13:55 --------- d-----w c:\programmi\MessengerDiscovery
2008-10-01 13:48 --------- d-----w c:\programmi\Messenger Plus! Live
2008-10-01 13:48 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2008-10-01 13:44 --------- d-----w c:\programmi\MSN Messenger
2008-10-01 12:59 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-10-01 12:57 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-10-01 12:44 --------- d-----w c:\programmi\Windows Live
2008-10-01 12:13 --------- d-----w c:\programmi\StuffPlug3
2008-09-28 14:08 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-09-28 14:07 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\GetRightToGo
2008-09-21 09:41 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\SecondLife
2008-09-18 11:56 --------- d-----w c:\programmi\Microsoft LifeChat
2008-09-15 15:38 1,846,016 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-09 10:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\ATI
2008-09-09 10:21 --------- d-----w c:\programmi\ATI Technologies
2008-09-09 08:59 --------- d-----w c:\documents and settings\Enrico Fantini\Dati applicazioni\atitray
2008-09-07 22:29 --------- d-----w c:\programmi\SystemRequirementsLab
2008-08-20 05:35 662,016 ----a-w c:\windows\SYSTEM32\wininet.dll
2008-08-14 13:42 2,139,648 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2008-08-14 13:42 2,019,328 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2007-09-11 22:19 22,328 ----a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\PnkBstrK.sys
2006-05-29 15:39 36,816 -c--a-w c:\documents and settings\Enrico Fantini\Dati applicazioni\GDIPFONTCACHEV1.DAT
2005-06-19 09:04 32 -c--a-r c:\documents and settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-04_14.52.33.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-04 13:04:40 81,842 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
+ 2008-11-04 17:39:36 81,842 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
- 2008-11-04 13:04:40 98,522 ----a-w c:\windows\SYSTEM32\PERFC010.DAT
+ 2008-11-04 17:39:36 98,522 ----a-w c:\windows\SYSTEM32\PERFC010.DAT
- 2008-11-04 13:04:40 454,378 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
+ 2008-11-04 17:39:36 454,378 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
- 2008-11-04 13:04:40 509,148 ----a-w c:\windows\SYSTEM32\PERFH010.DAT
+ 2008-11-04 17:39:36 509,148 ----a-w c:\windows\SYSTEM32\PERFH010.DAT
.
-- Snapshot per reimpostare la data corrente --
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DMXLauncher"="c:\programmi\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools"="c:\programmi\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"snpstd"="c:\windows\vsnpstd.exe" [2004-05-10 286720]
"WinampAgent"="c:\programmi\Winamp\winampa.exe" [2007-05-14 35328]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LifeChat"="c:\programmi\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-07-29 155648]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
"Spyware Doctor"="c:\programmi\Spyware Doctor\swdoctor.exe" [2007-03-28 2115728]

c:\documents and settings\Enrico Fantini\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-12 113664]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Logitech SetPoint.lnk - c:\programmi\Logitech\SetPoint\KEM.exe [2005-10-22 581632]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Programmi\\GameSpy Arcade\\Aphex.exe"=
"c:\\Programmi\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"c:\\Programmi\\Xfire\\Xfire.exe"=
"c:\\Programmi\\SHOUTcast\\sc_serv.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\YVD\\n00b-IRC.exe"=
"c:\\Programmi\\YVD\\YGO Virtual Desktop V086.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\FantasyGrounds\\FantasyGrounds.exe"=
"c:\\Programmi\\VoipStunt\\VoipStunt\\VoipStunt.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Programmi\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\Desctozz\\RPGONLINE\\RPGONLINE\\RPGOnline.exe"=
"m:\\NeverwinterNights\\NWN\\nwmain.exe"=
"m:\\FEAR\\FEAR.exe"=
"c:\\Programmi\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"=
"c:\\Programmi\\NetMeeting\\CONF.EXE"=
"c:\\Programmi\\Winamp\\winamp.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Programmi\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"c:\\Programmi\\Last.fm\\LastFM.exe"=
"m:\\WoWServer\\wamp\\Apache2\\bin\\httpd.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\ascent1722\\Ascent1722\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent Rev2355\\Ascent Rev2355\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Rev2902\\Rev2902\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\AC WEB REPACK 7.4\\Ascent\\ascent.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\logonserver.exe"=
"c:\\Documents and Settings\\Enrico Fantini\\Desktop\\WoWprivato\\Ascent3361\\Ascent 3361\\voicechat.exe"=
"c:\\Programmi\\World of Warcraft\\BackgroundDownloader.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"m:\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Programmi\\TmNationsForever\\TmForever.exe"=
"c:\\Programmi\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"m:\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Programmi\\The All-Seeing Eye\\eye.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\World of Warcraft\\WoW-2.4.3.8568-to-3.0.2.8916-enGB-downloader.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2350:TCP"= 2350:TCP:TMNations1
"3450:TCP"= 3450:TCP:TMNations2
"2350:UDP"= 2350:UDP:TMNationsUDP1
"3450:UDP"= 3450:UDP:TMNationsUDP2
"6370:TCP"= 6370:TCP:*:Disabled:ppLive
"7251:UDP"= 7251:UDP:*:Disabled:ppLive
"3204:TCP"= 3204:TCP:*:Disabled:ppLive
"2588:UDP"= 2588:UDP:*:Disabled:ppLive
"7624:TCP"= 7624:TCP:*:Disabled:ppLive
"4565:UDP"= 4565:UDP:*:Disabled:ppLive
"5340:TCP"= 5340:TCP:WarRockTCP
"5350:UDP"= 5350:UDP:WarRockUDP
"8000:TCP"= 8000:TCP:Winamp
"8000:UDP"= 8000:UDP:Winamp
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 RXG350XP;Roper 802.11g XG350 Driver;c:\windows\system32\DRIVERS\WlanCTG.sys [2005-05-26 481664]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\Drivers\spyemrg.sys [ ]
S3 wampapache;wampapache;m:\wowserver\wamp\apache2\bin\httpd.exe [2007-09-05 24635]
S3 wampmysqld;wampmysqld;m:\wowserver\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 5730304]
.
Contenuto della cartella 'Scheduled Tasks'

2008-09-18 c:\windows\Tasks\LifeChatTask.job
- c:\programmi\Microsoft LifeChat\LifeChat.exe [2008-08-21 10:16]
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{0E00AB23-3C82-4C02-B18F-40F44636EE49} - c:\windows\system32\cewmd.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 20:23:28
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\programmi\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\programmi\Spyware Doctor\sdhelp.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\SYSTEM32\WGATray.exe
c:\programmi\iPod\bin\iPodService.exe
c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
c:\programmi\Logitech\SetPoint\KHALMNPR.exe
c:\progra~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
c:\programmi\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Ora fine scansione: 2008-11-04 20:47:28 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-11-04 19:47:22
ComboFix2.txt 2008-11-04 13:53:29

Pre-Run: 21.496.389.632 byte disponibili
Post-Run: 21,477,548,032 byte disponibili

300 --- E O F --- 2008-11-03 21:50:04




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.51.19, on 04/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Microsoft LifeChat\LifeChat.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programmi\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LifeChat] "C:\Programmi\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://labirreriadifantom.spaces.liv...d/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: wampapache - Apache Software Foundation - M:\WoWServer\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - M:\WoWServer\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 10452 bytes
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-04-2008, 11:54 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
Ok, thanks for that information. We'll address that in my next fix. Before we do that, I need a bit more information, please.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-04-2008, 12:07 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


Re: File cannot be deleted: cewmd.dll
2004-04-03 12:47:08 AC------ 29,184 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msinet.oca.vir
2004-08-19 12:00:00 A------- 0 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Winro43.sys.vir
2004-08-19 12:00:00 A------- 0 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Winye65.sys.vir
2004-08-19 12:00:00 A------- 30,080 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Winaw10.sys.vir
2004-08-19 12:00:00 A------- 30,080 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Windi33.sys.vir
2004-08-19 12:00:00 A------- 30,080 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Winkp05.sys.vir
2004-08-19 12:00:00 A------- 30,080 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Winlj36.sys.vir
2004-08-19 12:00:00 A------- 30,080 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Winyh62.sys.vir
2005-06-06 21:00:00 AC------ 22 C:\Qoobox\Quarantine\C\Programmi\MsUpdate\a.zip.vir
2005-09-24 12:54:39 AC------ 62,464 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bszip.dll.vir
2007-09-01 21:14:10 A------- 921,600 C:\Qoobox\Quarantine\C\Documents and Settings\Enrico Fantini\Impostazioni locali\Temporary Internet Files\ijjistarter2FxB.exe.vir
2007-09-25 16:12:59 A------- 77,312 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\P2P Networking v126.cpl.vir
2007-09-25 16:13:11 A------- 905 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\acrsecI.fon.vir
2007-09-25 16:13:11 A------- 1,761 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\acrsecB.fon.vir
2007-09-25 16:13:12 A------- 854 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\acrsec.fon.vir
2008-10-14 13:43:23 A------- 15,360 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WinCtrl32.dll.vir
2008-10-17 12:38:55 A------- 118,784 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\blphcghqj0er1l.scr.vir
2008-10-18 18:43:14 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\31.exe.vir
2008-10-18 18:43:16 A------- 93,184 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cewmd.dll.vir
2008-10-22 12:32:05 A------- 5,120 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\mcxtjued.dat.vir
2008-10-22 12:32:07 A------- 18,688 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\jgjdfuls.dat.vir
2008-10-24 16:27:32 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\718.exe.vir
2008-10-24 16:34:40 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\437.exe.vir
2008-10-27 17:17:01 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\828.exe.vir
2008-10-27 17:34:18 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\453.exe.vir
2008-11-04 14:00:28 A------- 15,360 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WinCtrl32.dl_.vir
2008-11-04 14:11:10 A------- 1,208 C:\Qoobox\Quarantine\catchme.log
2008-11-04 14:19:42 A------- 10,587 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-04 14:20:50 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINAW10.reg.dat
2008-11-04 14:20:50 A------- 1,326 C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2008-11-04 14:20:50 A------- 1,334 C:\Qoobox\Quarantine\Registry_backups\Legacy_OREANS32.reg.dat
2008-11-04 14:20:51 A------- 1,034 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINDI33.reg.dat
2008-11-04 14:20:51 A------- 1,034 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINYH62.reg.dat
2008-11-04 14:20:51 A------- 1,092 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINKP05.reg.dat
2008-11-04 14:20:51 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINLJ36.reg.dat
2008-11-04 14:20:51 A------- 2,100 C:\Qoobox\Quarantine\Registry_backups\Service_oreans32.reg.dat
2008-11-04 14:20:51 A------- 2,418 C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2008-11-04 14:20:51 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winaw10.reg.dat
2008-11-04 14:20:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Windi33.reg.dat
2008-11-04 14:20:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winkp05.reg.dat
2008-11-04 14:20:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winlj36.reg.dat
2008-11-04 14:20:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winyh62.reg.dat
2008-11-04 14:52:33 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-04 14:52:33 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-04 14:52:33 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-04 14:52:38 A------- 165 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BitTorrent.reg.dat
2008-11-04 14:52:40 A------- 140 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-lphcghqj0er1l.reg.dat
2008-11-04 14:52:40 A------- 153 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-DVDLauncher.reg.dat
2008-11-04 14:52:40 A------- 167 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-LogonStudio.reg.dat
2008-11-04 14:52:50 A------- 1,746 C:\Qoobox\Quarantine\Registry_backups\Notify-AutorunsDisabled.reg.dat
2008-11-04 14:52:53 A------- 554 C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Winkp05.sys.reg.dat
2008-11-04 14:52:53 A------- 554 C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Winro43.sys.reg.dat
2008-11-04 20:13:56 A------- 90,237 C:\Qoobox\Quarantine\[4]-Submit_2008-11-04@20.13.zip
2008-11-04 20:14:51 A------- 179,792 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_cewmd_.dll.zip
2008-11-04 20:14:55 A------- 8,987 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_jgjdfuls_.dat.zip
2008-11-04 20:14:58 A------- 2,454 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_mcxtjued_.dat.zip
2008-11-04 20:19:48 A------- 284 C:\Qoobox\Quarantine\Registry_backups\Legacy_ADXAPIE.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINAC71.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINBV25.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINCP30.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINEV41.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINFI22.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINFW16.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINGL60.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WININ31.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINKA47.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINKA81.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINKD12.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINKM50.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINMC18.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINMJ70.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINPA76.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINPF74.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINSK41.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINSL22.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINUC41.reg.dat
2008-11-04 20:19:48 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINUF68.reg.dat
2008-11-04 20:19:48 A------- 1,276 C:\Qoobox\Quarantine\Registry_backups\Legacy_KNPMUYKL.reg.dat
2008-11-04 20:19:49 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINUS47.reg.dat
2008-11-04 20:19:49 A------- 1,208 C:\Qoobox\Quarantine\Registry_backups\Legacy_WINYE65.reg.dat
2008-11-04 20:19:49 A------- 2,354 C:\Qoobox\Quarantine\Registry_backups\Service_adxapie.reg.dat
2008-11-04 20:19:49 A------- 6,264 C:\Qoobox\Quarantine\Registry_backups\Service_knpmuykl.reg.dat
2008-11-04 20:19:50 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winac71.reg.dat
2008-11-04 20:19:50 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winbv25.reg.dat
2008-11-04 20:19:50 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Wincp30.reg.dat
2008-11-04 20:19:51 A------- 1,748 C:\Qoobox\Quarantine\Registry_backups\Service_Windg73.reg.dat
2008-11-04 20:19:51 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winev41.reg.dat
2008-11-04 20:19:51 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winfi22.reg.dat
2008-11-04 20:19:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winfw16.reg.dat
2008-11-04 20:19:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Wingl60.reg.dat
2008-11-04 20:19:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winin31.reg.dat
2008-11-04 20:19:52 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winka47.reg.dat
2008-11-04 20:19:53 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winka81.reg.dat
2008-11-04 20:19:53 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winkd12.reg.dat
2008-11-04 20:19:53 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winkm50.reg.dat
2008-11-04 20:19:54 A------- 2,210 C:\Qoobox\Quarantine\Registry_backups\Service_Winll36.reg.dat
2008-11-04 20:19:54 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winmc18.reg.dat
2008-11-04 20:19:54 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winmj70.reg.dat
2008-11-04 20:19:55 A------- 2,210 C:\Qoobox\Quarantine\Registry_backups\Service_Winnd42.reg.dat
2008-11-04 20:19:55 A------- 2,210 C:\Qoobox\Quarantine\Registry_backups\Service_Winoj67.reg.dat
2008-11-04 20:19:55 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winpa76.reg.dat
2008-11-04 20:19:56 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winpf74.reg.dat
2008-11-04 20:19:56 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winsk41.reg.dat
2008-11-04 20:19:56 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winsl22.reg.dat
2008-11-04 20:19:57 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winuc41.reg.dat
2008-11-04 20:19:57 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winuf68.reg.dat
2008-11-04 20:19:57 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winus47.reg.dat
2008-11-04 20:19:57 A------- 2,530 C:\Qoobox\Quarantine\Registry_backups\Service_Winye65.reg.dat
2008-11-04 20:46:48 A------- 376 C:\Qoobox\Quarantine\Registry_backups\BHO-{0E00AB23-3C82-4C02-B18F-40F44636EE49}.reg.dat
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-04-2008, 12:11 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
Great, let's continue......
  • Please visit this site:


    http://www.bleepingcomputer.com/subm....php?channel=4

  • In the Link to topic where this file was requested: area, copy and paste this



    http://www.techsupportforum.com/security-center/hijackthis-log-help/308373-file-cannot-deleted-cewmd-dll.html#post1787247


  • In the Browse to the file you want to submit: area, copy and paste this



    C:\Qoobox\Quarantine\[4]-Submit_2008-11-04@20.13.zip


  • Then click Send File.
  • Once it shows:
    Quote:
    Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
  • Close the site and continue with the steps below.

Some of my research indicates eMule may be responsible for setting the homepage. Just another reason to be wary of P2P applications.


P2P - I see you have P2P software ( LimeWire PRO, eMule ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

http://www.techsupportforum.com/secu...e-sharing.html

I would strongly recommend that you uninstall this. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------


Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Close HijackThis now.

---------------------------------------------------------------------------------------------


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

How is the machine behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-05-2008, 05:37 AM   #9 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


Re: File cannot be deleted: cewmd.dll
I'm having trouble with the Kaspersky scanner. I was scanning my computer but unfortunately firefox crashed and I had to reload the page. The download and the update process were much faster, but at the end I got this error message:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Scan has failed to start. [0x80004005]]

What should I do? Note that I already closed and opened it again 2 or 3 times, same error.

By the way, the machine is behaving good from the start, I only noticed the infection because my antivirus was attempting (and failing) to remove it. Also, there were some pop-ups in the tray bar as stated in my first post, but they disappeared after the first ComboFix run.
Last edited by Fantuccio; 11-05-2008 at 05:38 AM.
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-05-2008, 07:51 AM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
I'm sorry you're having troubles with the Kaspersky scanner.

Let's use this scanner in it's place.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 05:03 AM   #11 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


Re: File cannot be deleted: cewmd.dll
I tried again with the Kaspersky scanner and this time it worked.
Things are fine now, but my antivir keeps finding threats in the C:\System Volume Information\ folder...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 10, 2008 19:53:12
Records in database: 1378617
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Files scanned: 214342
Threat name: 8
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 04:58:44


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06D00000.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F1C0000.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F1C0001.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F300000.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F480000.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\121C0000.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\121C0002.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\121C0004.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\121C0006.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\121C0008.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\121C000A.VBN Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\Configurazione_Caratteri_V2.0 WinXP.rar Infected: IM-Worm.Win32.VB.ax 1
C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\guarda ke serio....rar Infected: IM-Worm.Win32.VB.ax 1
C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\magia.rar Infected: IM-Worm.Win32.VB.ax 1
C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\èèèèè.rar Infected: IM-Worm.Win32.VB.ax 1
C:\Programmi\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\31.exe.vir Infected: Trojan-Downloader.Win32.Delf.pmg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\437.exe.vir Infected: Trojan-Downloader.Win32.Delf.pmg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\453.exe.vir Infected: Trojan-Downloader.Win32.Delf.pmg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\718.exe.vir Infected: Trojan-Downloader.Win32.Delf.pmg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\828.exe.vir Infected: Trojan-Downloader.Win32.Delf.pmg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_jgjdfuls_.dat.zip Infected: Trojan.Win32.Agent.cid 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_mcxtjued_.dat.zip Infected: Trojan.Win32.Agent.cid 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WinCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Mutant.bsz 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WinCtrl32.dl_.vir Infected: Trojan-Downloader.Win32.Mutant.bsz 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_cewmd_.dll.zip Infected: Trojan.Win32.BHO.hoi 1
M:\eMule\Incoming\MIRC 6.21 + KeyGen Controller Programmi ITA.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
M:\eMule\Incoming\SpyRemover 2.63.zip Infected: Trojan-Downloader.Win32.Bagle.cm 1

The selected area was scanned.
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 07:48 AM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache in a little while by uninstalling ComboFix.

Several finds are in Norton Quarantine

C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine

They are safe there, as Norton has rendered them inert, but you may want to remove them from the machine. See if these instructions help you finally remove them from the machine.

Please use Symantec's guide to remove the Norton Quarantine files.

==========================================

These files are infected, and where they came from is part of the problem

Delete them all.

"C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\Configurazione_Caratteri_V2.0 WinXP.rar"
"C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\guarda ke serio....rar"
"C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\magia.rar"
"C:\Documents and Settings\Enrico Fantini\Documenti\File ricevuti\èèèèè.rar" <<<<<<<<<< Not sure if this translated properly
M:\eMule\Incoming\MIRC 6.21 + KeyGen Controller Programmi ITA.rar<<<<<<<<<<<<<<<<<<KEYGEN
"M:\eMule\Incoming\SpyRemover 2.63.zip"

As I mentioned in my previous post, P2P applications in and of themselves are not always bad, but the downloads many people seek and obtain with them are.

Cracked (Illegal) Software

This is quite likely the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore. Don't think: "I have a good Antivirus and Firewall installed, they will protect me" - because that's not true... and even before you know it, your Antivirus and Firewall may become disabled by the malware which has now found its way on your system.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support illegal activity. Before posting for help, we ask that you uninstall any such applications, as indicated in this sticky topic.

As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine. Any future requests for help may be ignored.

Uninstall these illegal softwares now.

Other than that..............

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • FIREWALL
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 08:51 AM   #13 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


Re: File cannot be deleted: cewmd.dll
I'm really sorry for breaking the rules, but I'm not the only computer user and I did not know about that illegal files. Anyway, I permanently deleted them.
One more thing, it seems that your link to the sticky topic is broken:

Quote:
Originally Posted by tetonbob View Post
Before posting for help, we ask that you uninstall any such applications, as indicated in this sticky topic.
I got the following error message when I clicked on the link:
Invalid Thread specified. If you followed a valid link, please notify the administrator

One last question: is SpyRemover a trusted and efficient AntiSpyware software or I'd better install SpywareBlaster as you wrote?

Thanks for your competent and fast answers, kindness and patience.
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 09:18 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
Thank you for letting me know about my dead link. I've updated that information in my personal database. The link I intended you to see was this one:

http://www.techsupportforum.com/secu...oval-help.html

I do understand that sometimes others have access to one's machine, or machines are shared. Please do educate the other users.

I've not used SpyRemover, I tend to stick with tried and true applications...but it's the source from which it was downloaded which raises the concern.

There are two different SpyRemover out there...one is a rogue application listed here, one is available from the home site, or from download sites such as MajorGeeks....however, the home site is blocked in the MVPS hosts file...

127.0.0.1 itcompany.com #[SunBelt.Family Cyber Alert]
127.0.0.1 www.itcompany.com #[Symantec.Spyware.CyberAlert]

and some list it as rogue still...but there's an interesting exchange with one of the authors of the application here

I'd tend to stay away from this application for the time being.

There are other, more well known and respected applications, some are listed here:

PC Safety and Security--What Do I Need?

Spywareblaster is a different sort of application. It's not a scanner.

SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. This includes general spyware and malicious dialers. It also blocks a list of known spyware related cookies in IE and Firefox. SpywareBlaster should be run periodically, say once a week, to check for updates to its database. Other than that it doesn't need to be running to provide protection, so there are no processes run either at startup or in the background.


Does that help?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 11:10 AM   #15 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: Win XP Home, SP2


Re: File cannot be deleted: cewmd.dll
Yeah, sure. I've downloaded the MVPS host file, WinPatrol and SpywareBlaster as you recommended.

Thank you very much for your help.
Fantuccio is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 11:27 AM   #16 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: File cannot be deleted: cewmd.dll
You're welcome for the help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:53 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84