Lolicon
2008-09-09, 16:25
Hello and thanks for all the help... Spybot S&D is a great piece of software in it's own right.
I'm helping out a friend who has his laptop badly infected with an array of worms and stuff (some of it already, I think, cleaned) but... Virtumonde.dll is giving me a hard time!
I ran HJT and have the log file for it.
I ran ComboFix and have the log file for it as well.
ComboFix, in its "how to", instructs to torn off basically everything, which I did.
A side effect of this is that Symantec AV10 is now impossible to restart.
Thanks for all the help you can provide and greetings from Italy.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.17.29, on 09/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\HPQ\IAM\bin\asghost.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmi\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: wmhakf.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8562 bytes
ComboFix 08-09-05.10 - Nik & Ely 2008-09-09 14.33.57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.152 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Nik & Ely\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\egjcudqv.dll
C:\WINDOWS\system32\fxwauofh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nlegfqwe.ini
C:\WINDOWS\system32\tAHOonmp.ini
C:\WINDOWS\system32\tAHOonmp.ini2
C:\WINDOWS\system32\vqducjge.ini
C:\WINDOWS\system32\vtUooliJ.dll
C:\WINDOWS\system32\wmhakf.dll
C:\WINDOWS\system32\yelberpj.ini
.
((((((((((((((((((((((((( Files Creati Da 2008-08-09 al 2008-09-09 )))))))))))))))))))))))))))))))))))
.
2008-09-09 14:16 . 2008-09-09 14:16 <DIR> d-------- C:\Programmi\Trend Micro
2008-09-09 13:06 . 2008-09-09 13:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-09 08:39 . 2008-09-09 08:39 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\VSRevoGroup
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Risorse di stampa
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Risorse di rete
2008-09-09 01:14 . 2008-09-09 01:15 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Preferiti
2008-09-09 01:14 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Modelli
2008-09-09 01:14 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Menu Avvio
2008-09-09 01:14 . 2008-09-09 10:47 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Impostazioni locali
2008-09-09 01:14 . 2008-09-09 01:15 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Documenti
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d-------- C:\Documents and Settings\Nik & Ely\Dati applicazioni\SampleView
2008-09-09 01:14 . 2008-09-09 14:15 <DIR> dr-h----- C:\Documents and Settings\Nik & Ely\Dati applicazioni
2008-09-09 01:14 . 2008-09-09 01:14 <DIR> d-------- C:\Documents and Settings\Nik & Ely
2008-09-08 22:16 . 2008-09-08 22:19 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-09-08 22:16 . 2008-09-08 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-09-08 22:02 . 2008-09-08 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\VSRevoGroup
2008-09-08 21:57 . 2008-09-08 21:57 <DIR> d-------- C:\Programmi\VS Revo Group
2008-09-08 21:38 . 2008-09-08 21:38 0 --a------ C:\WINDOWS\VPC32.INI
2008-09-08 15:24 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-08 15:24 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-08 15:21 . 2008-09-08 15:27 <DIR> d-------- C:\Programmi\Symantec
2008-09-08 15:19 . 2008-09-09 14:31 <DIR> d-------- C:\Programmi\Symantec AntiVirus
2008-09-08 15:12 . 2008-09-08 15:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\SampleView
2008-09-08 14:44 . 2008-09-08 14:46 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-09-08 14:44 . 2008-09-08 14:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-06 18:36 . 2008-09-06 18:36 322,048 --a------ C:\WINDOWS\system32\pmnoOHAt.dll
2008-09-06 18:30 . 2008-09-06 18:41 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\TmpRecentIcons
2008-09-03 22:12 . 2008-09-03 22:12 268 --ah----- C:\sqmdata18.sqm
2008-09-03 22:12 . 2008-09-03 22:12 244 --ah----- C:\sqmnoopt18.sqm
2008-09-03 16:44 . 2008-09-03 16:44 268 --ah----- C:\sqmdata17.sqm
2008-09-03 16:44 . 2008-09-03 16:44 244 --ah----- C:\sqmnoopt17.sqm
2008-09-03 06:00 . 2008-09-03 06:00 268 --ah----- C:\sqmdata16.sqm
2008-09-03 06:00 . 2008-09-03 06:00 244 --ah----- C:\sqmnoopt16.sqm
2008-08-21 19:35 . 2008-08-21 19:35 <DIR> d-------- C:\Program Files
2008-08-20 11:29 . 2008-09-05 13:06 <DIR> d-------- C:\Programmi\EA GAMES
2008-08-20 11:29 . 2008-03-13 03:10 445,504 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-08-19 18:30 . 2008-08-19 18:30 268 --ah----- C:\sqmdata15.sqm
2008-08-19 18:30 . 2008-08-19 18:30 244 --ah----- C:\sqmnoopt15.sqm
2008-08-19 16:27 . 2008-08-19 17:27 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-08-19 16:27 . 2008-08-19 16:27 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Pogo Games
2008-08-19 16:26 . 2008-08-19 17:50 <DIR> d-------- C:\Programmi\Oberon Media
2008-08-19 10:43 . 2008-08-19 10:43 268 --ah----- C:\sqmdata14.sqm
2008-08-19 10:43 . 2008-08-19 10:43 244 --ah----- C:\sqmnoopt14.sqm
2008-08-18 18:36 . 2008-08-18 18:36 268 --ah----- C:\sqmdata13.sqm
2008-08-18 18:36 . 2008-08-18 18:36 244 --ah----- C:\sqmnoopt13.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 10:27 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-09-09 10:27 --------- d-----w C:\Programmi\InterVideo
2008-09-09 10:25 --------- d-----w C:\Programmi\Windows Live Toolbar
2008-09-08 21:57 --------- d-----w C:\Programmi\Java
2008-09-08 13:31 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-09-08 13:19 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-09-08 12:54 --------- d-----w C:\Programmi\Canon
2008-09-08 08:27 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Spyware Terminator
2008-08-07 15:41 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-08-07 15:41 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-08-01 14:04 --------- d-----w C:\Programmi\Netlog Photo Tool
2008-08-01 12:13 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\ArcSoft
2008-07-22 00:01 --------- d-----w C:\Programmi\Ubisoft
2008-07-18 18:38 586,752 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-14 07:36 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-13 23:14 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Thinstall
2008-07-13 14:48 --------- d-----w C:\Programmi\File comuni\Sonic Shared
2008-07-13 14:47 --------- d-----w C:\Programmi\Sonic
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{537C9B85-09E8-4092-BC74-9AC04BF4A1CE}]
2008-09-06 18:36 322048 --a------ C:\WINDOWS\system32\pmnoOHAt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"PTHOSTTR"="C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"HP Software Update"="C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784]
"hpWirelessAssistant"="C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"QlbCtrl"="C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"Cpqset"="C:\Programmi\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"SSBkgdUpdate"="C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2008-05-08 212992]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
BTTray.lnk - C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-02-15 581693]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 20:41 40960 C:\Programmi\HPQ\IAM\Bin\AsWlnPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wmhakf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"14845d23"=rundll32.exe "C:\WINDOWS\system32\egjcudqv.dll",b
"WatchDog"=C:\Programmi\InterVideo\DVD Check\DVDCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62954:TCP"= 62954:TCP:emule
"56694:UDP"= 56694:UDP:emule
R2 ASChannel;Canale di comunicazione locale;C:\WINDOWS\System32\svchost.exe [2004-08-19 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
- - - - ORFÇOS REMOVIDOS - - - -
BHO-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\vtUooliJ.dll
ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\vtUooliJ.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Nik & Ely\Dati applicazioni\Mozilla\Firefox\Profiles\x6lkhnf5.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 14:39:57
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programmi\HPQ\Default Settings\cpqset.exe?????????? ???@???????????????@??????W??????(?@???????@
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\HPQ\IAM\Bin\asghost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Ora fine scansione: 2008-09-09 14:43:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-09 12:43:11
Pre-Run: 36,411,506,688 byte disponibili
Post-Run: 36,328,189,952 byte disponibili
200 --- E O F --- 2008-08-19 08:11:58
I'm helping out a friend who has his laptop badly infected with an array of worms and stuff (some of it already, I think, cleaned) but... Virtumonde.dll is giving me a hard time!
I ran HJT and have the log file for it.
I ran ComboFix and have the log file for it as well.
ComboFix, in its "how to", instructs to torn off basically everything, which I did.
A side effect of this is that Symantec AV10 is now impossible to restart.
Thanks for all the help you can provide and greetings from Italy.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.17.29, on 09/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\HPQ\IAM\bin\asghost.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmi\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: wmhakf.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8562 bytes
ComboFix 08-09-05.10 - Nik & Ely 2008-09-09 14.33.57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.152 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Nik & Ely\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\egjcudqv.dll
C:\WINDOWS\system32\fxwauofh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nlegfqwe.ini
C:\WINDOWS\system32\tAHOonmp.ini
C:\WINDOWS\system32\tAHOonmp.ini2
C:\WINDOWS\system32\vqducjge.ini
C:\WINDOWS\system32\vtUooliJ.dll
C:\WINDOWS\system32\wmhakf.dll
C:\WINDOWS\system32\yelberpj.ini
.
((((((((((((((((((((((((( Files Creati Da 2008-08-09 al 2008-09-09 )))))))))))))))))))))))))))))))))))
.
2008-09-09 14:16 . 2008-09-09 14:16 <DIR> d-------- C:\Programmi\Trend Micro
2008-09-09 13:06 . 2008-09-09 13:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-09 08:39 . 2008-09-09 08:39 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\VSRevoGroup
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Risorse di stampa
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Risorse di rete
2008-09-09 01:14 . 2008-09-09 01:15 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Preferiti
2008-09-09 01:14 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Modelli
2008-09-09 01:14 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Menu Avvio
2008-09-09 01:14 . 2008-09-09 10:47 <DIR> d--h----- C:\Documents and Settings\Nik & Ely\Impostazioni locali
2008-09-09 01:14 . 2008-09-09 01:15 <DIR> dr------- C:\Documents and Settings\Nik & Ely\Documenti
2008-09-09 01:14 . 2006-09-21 12:58 <DIR> d-------- C:\Documents and Settings\Nik & Ely\Dati applicazioni\SampleView
2008-09-09 01:14 . 2008-09-09 14:15 <DIR> dr-h----- C:\Documents and Settings\Nik & Ely\Dati applicazioni
2008-09-09 01:14 . 2008-09-09 01:14 <DIR> d-------- C:\Documents and Settings\Nik & Ely
2008-09-08 22:16 . 2008-09-08 22:19 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-09-08 22:16 . 2008-09-08 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-09-08 22:02 . 2008-09-08 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\VSRevoGroup
2008-09-08 21:57 . 2008-09-08 21:57 <DIR> d-------- C:\Programmi\VS Revo Group
2008-09-08 21:38 . 2008-09-08 21:38 0 --a------ C:\WINDOWS\VPC32.INI
2008-09-08 15:24 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-08 15:24 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-08 15:21 . 2008-09-08 15:27 <DIR> d-------- C:\Programmi\Symantec
2008-09-08 15:19 . 2008-09-09 14:31 <DIR> d-------- C:\Programmi\Symantec AntiVirus
2008-09-08 15:12 . 2008-09-08 15:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-09-08 14:44 . 2008-05-08 22:54 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-09-08 14:44 . 2006-09-21 12:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\SampleView
2008-09-08 14:44 . 2008-09-08 14:46 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-09-08 14:44 . 2008-09-08 14:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-06 18:36 . 2008-09-06 18:36 322,048 --a------ C:\WINDOWS\system32\pmnoOHAt.dll
2008-09-06 18:30 . 2008-09-06 18:41 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\TmpRecentIcons
2008-09-03 22:12 . 2008-09-03 22:12 268 --ah----- C:\sqmdata18.sqm
2008-09-03 22:12 . 2008-09-03 22:12 244 --ah----- C:\sqmnoopt18.sqm
2008-09-03 16:44 . 2008-09-03 16:44 268 --ah----- C:\sqmdata17.sqm
2008-09-03 16:44 . 2008-09-03 16:44 244 --ah----- C:\sqmnoopt17.sqm
2008-09-03 06:00 . 2008-09-03 06:00 268 --ah----- C:\sqmdata16.sqm
2008-09-03 06:00 . 2008-09-03 06:00 244 --ah----- C:\sqmnoopt16.sqm
2008-08-21 19:35 . 2008-08-21 19:35 <DIR> d-------- C:\Program Files
2008-08-20 11:29 . 2008-09-05 13:06 <DIR> d-------- C:\Programmi\EA GAMES
2008-08-20 11:29 . 2008-03-13 03:10 445,504 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-08-19 18:30 . 2008-08-19 18:30 268 --ah----- C:\sqmdata15.sqm
2008-08-19 18:30 . 2008-08-19 18:30 244 --ah----- C:\sqmnoopt15.sqm
2008-08-19 16:27 . 2008-08-19 17:27 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-08-19 16:27 . 2008-08-19 16:27 <DIR> d-------- C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Pogo Games
2008-08-19 16:26 . 2008-08-19 17:50 <DIR> d-------- C:\Programmi\Oberon Media
2008-08-19 10:43 . 2008-08-19 10:43 268 --ah----- C:\sqmdata14.sqm
2008-08-19 10:43 . 2008-08-19 10:43 244 --ah----- C:\sqmnoopt14.sqm
2008-08-18 18:36 . 2008-08-18 18:36 268 --ah----- C:\sqmdata13.sqm
2008-08-18 18:36 . 2008-08-18 18:36 244 --ah----- C:\sqmnoopt13.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 10:27 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-09-09 10:27 --------- d-----w C:\Programmi\InterVideo
2008-09-09 10:25 --------- d-----w C:\Programmi\Windows Live Toolbar
2008-09-08 21:57 --------- d-----w C:\Programmi\Java
2008-09-08 13:31 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-09-08 13:19 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-09-08 12:54 --------- d-----w C:\Programmi\Canon
2008-09-08 08:27 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Spyware Terminator
2008-08-07 15:41 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-08-07 15:41 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-08-01 14:04 --------- d-----w C:\Programmi\Netlog Photo Tool
2008-08-01 12:13 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\ArcSoft
2008-07-22 00:01 --------- d-----w C:\Programmi\Ubisoft
2008-07-18 18:38 586,752 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-14 07:36 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-13 23:14 --------- d-----w C:\Documents and Settings\alicetuttoincluso\Dati applicazioni\Thinstall
2008-07-13 14:48 --------- d-----w C:\Programmi\File comuni\Sonic Shared
2008-07-13 14:47 --------- d-----w C:\Programmi\Sonic
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{537C9B85-09E8-4092-BC74-9AC04BF4A1CE}]
2008-09-06 18:36 322048 --a------ C:\WINDOWS\system32\pmnoOHAt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"PTHOSTTR"="C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"HP Software Update"="C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784]
"hpWirelessAssistant"="C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"QlbCtrl"="C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"Cpqset"="C:\Programmi\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"SSBkgdUpdate"="C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="C:\Programmi\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2008-05-08 212992]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
BTTray.lnk - C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-02-15 581693]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 20:41 40960 C:\Programmi\HPQ\IAM\Bin\AsWlnPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wmhakf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"14845d23"=rundll32.exe "C:\WINDOWS\system32\egjcudqv.dll",b
"WatchDog"=C:\Programmi\InterVideo\DVD Check\DVDCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62954:TCP"= 62954:TCP:emule
"56694:UDP"= 56694:UDP:emule
R2 ASChannel;Canale di comunicazione locale;C:\WINDOWS\System32\svchost.exe [2004-08-19 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
- - - - ORFÇOS REMOVIDOS - - - -
BHO-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\vtUooliJ.dll
ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\vtUooliJ.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Nik & Ely\Dati applicazioni\Mozilla\Firefox\Profiles\x6lkhnf5.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 14:39:57
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programmi\HPQ\Default Settings\cpqset.exe?????????? ???@???????????????@??????W??????(?@???????@
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\HPQ\IAM\Bin\asghost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Ora fine scansione: 2008-09-09 14:43:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-09 12:43:11
Pre-Run: 36,411,506,688 byte disponibili
Post-Run: 36,328,189,952 byte disponibili
200 --- E O F --- 2008-08-19 08:11:58