help fraud.internetsecurity2011 [Archive]

View Full Version : help fraud.internetsecurity2011

spybotalx

2011-03-12, 14:06

Hi everybody! I got this malware and I tried to clean my pc with spybot. It cleaned almost everything in the registry but some entries that I can't delete even making spybot starting at boot. this is the results log of spybot:

--- Search result list ---
Fraud.InternetSecurity2011: [SBI $D14AADAC] Impostazioni (Chiave di registro, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_USERINIT\0000

Fraud.InternetSecurity2011: [SBI $D3A45776] Impostazioni (Chiave di registro, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_USERINIT\0000

Fraud.InternetSecurity2011: [SBI $95A8AE49] Impostazioni (Chiave di registro, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_USERINIT

Fraud.InternetSecurity2011: [SBI $DF31D93D] Impostazioni (Chiave di registro, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_USERINIT

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2004-04-27 unins000.exe (51.13.0.0)
2009-04-05 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2011-02-24 Includes\Adware.sbi (*)
2011-03-08 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-08 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-03 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-08 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-08 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-08 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)

I even tried to run (as of posting instructions) DDS tool but it runs until about 3/4 of total and it freezes my pc and I have to reboot. Anyway I backed up my registry with ERUNT.
I even removed all the files as of instructions page http://forums.spybot.info/showthread.php?t=61708
Now the system is apparently clean but my dubt is that this malware has created other different files in the system with other names and above all I'm worrying about those registry entries I can't delete.
May anyone help me to resolve this problem?
Thanx.
Alessandro

p.s.
you can also contact me at

Cypher

2011-03-13, 18:46

spybotalx

2011-03-14, 01:40

Hi Cypher. First of all thanks for helping me. I followed all the instructions you gave me and here are the informations you need:

RKreport[1].txt content:

RogueKiller V4.3.0 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: alx [Admin rights]
Mode: Scan -- Date : 03/14/2011 00:35:20

Bad processes: 0

Registry Entries: 1
[BLACKLIST] HKLM\[...]\Root : LEGACY_USERINIT () -> FOUND

HOSTS File:
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]

Finished : << RKreport[1].txt >>
RKreport[1].txt

Malwarebytes log content (mbam-log-2011-03-14 (01-01-46).txt):
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versione database: 6046

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

14/03/2011 1.01.46
mbam-log-2011-03-14 (01-01-46).txt

Tipo di scansione: Scansione veloce (quick scan)
Elementi esaminati: 138497
Tempo trascorso (elapsed time): 6 minuti, 0 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
(infected registry keys) Chiavi di registro infette: 1
(infected registry values)Valori di registro infetti: 4
(infected entries in registry data)Voci infette nei dati di registro: 0
(infected folders) Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(No harmful elements detected)(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(No harmful elements detected)(Non sono stati rilevati elementi nocivi)

(infected registry keys) Chiavi di registro infette:
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

(infected registry values) Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Value: bf -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Value: bk -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Value: iu -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Value: mu -> Quarantined and deleted successfully.

(infected entries in registry data) Voci infette nei dati di registro:
(No harmful elements detected)(Non sono stati rilevati elementi nocivi)

(infected folders)Cartelle infette:
(No harmful elements detected)(Non sono stati rilevati elementi nocivi)

File infetti:
(No harmful elements detected)(Non sono stati rilevati elementi nocivi)

RSIT log.txt content

Logfile of random's system information tool 1.08 (written by random/random)
Run by alx at 2011-03-14 01:08:40
Microsoft Windows XP Professional Service Pack 2
System drive L: has 70 GB (76%) free of 92 GB
Total RAM: 511 MB (37% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1.09.51, on 14/03/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
L:\WINDOWS\System32\smss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\Ati2evxx.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\system32\Ati2evxx.exe
L:\WINDOWS\Explorer.EXE
L:\WINDOWS\system32\spoolsv.exe
L:\Programmi\ICQ6Toolbar\ICQ Service.exe
L:\Programmi\Java\jre6\bin\jqs.exe
L:\Programmi\McAfee\Common Framework\FrameworkService.exe
L:\Programmi\McAfee\VirusScan Enterprise\Mcshield.exe
L:\Programmi\McAfee\VirusScan Enterprise\VsTskMgr.exe
L:\WINDOWS\system32\slserv.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\system32\wscntfy.exe
L:\WINDOWS\system32\RunDll32.exe
L:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
L:\WINDOWS\vsnpstd3.exe
L:\WINDOWS\tsnpstd3.exe
L:\Programmi\File comuni\Java\Java Update\jusched.exe
L:\Programmi\McAfee\Common Framework\UdaterUI.exe
L:\Programmi\McAfee\VirusScan Enterprise\SHSTAT.EXE
L:\WINDOWS\system32\ctfmon.exe
L:\Programmi\Messenger\msmsgs.exe
L:\Programmi\Babylon\Babylon.exe
L:\Programmi\Skype\Phone\Skype.exe
L:\WINDOWS\System32\svchost.exe
L:\Programmi\McAfee\Common Framework\McTray.exe
L:\WINDOWS\system32\dllhost.exe
L:\Documents and Settings\alx\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
L:\Documents and Settings\alx\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
L:\Documents and Settings\alx\Documenti\Downloads\RSIT.exe
L:\Programmi\trend micro\alx.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - L:\Programmi\ICQ6Toolbar\20101029021540\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - L:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - L:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - L:\Programmi\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - L:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - L:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - L:\Programmi\ICQ6Toolbar\20101029021540\ICQToolBar.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "L:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "L:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] L:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] L:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [tsnpstd3] L:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "L:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "L:\Programmi\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "L:\Programmi\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] L:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "L:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Babylon Translator] L:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [Google Update] "L:\Documents and Settings\alx\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "L:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] L:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] "L:\Programmi\File comuni\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://L:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - L:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - L:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - L:\Programmi\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - L:\Programmi\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} (Java Plug-in 1.6.0_19) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E1D8D2F-4EFD-4714-80A7-D409F75FACD2}: NameServer = 192.168.1.254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - L:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - L:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - L:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - L:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - L:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - L:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ICQ Service - Unknown owner - L:\Programmi\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - L:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - L:\Programmi\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - L:\Programmi\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - L:\Programmi\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - L:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - L:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7943 bytes

======Scheduled tasks folder======

L:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1214440339-682003330-1003Core.job
L:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1214440339-682003330-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Supporto di collegamento per Adobe PDF Reader - L:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - L:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - L:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-26 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - L:\Programmi\McAfee\VirusScan Enterprise\scriptcl.dll [2006-11-30 67136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - L:\Programmi\Java\jre6\bin\jp2ssv.dll [2010-11-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - L:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-11-20 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{855F3B16-6D32-4FE6-8A56-BBB695989046} - ICQToolBar - L:\Programmi\ICQ6Toolbar\20101029021540\ICQToolBar.dll [2010-10-04 1049912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"=L:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd []
"Adobe Reader Speed Launcher"=L:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"GrooveMonitor"=L:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-26 31016]
"NeroFilterCheck"=L:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"snpstd3"=L:\WINDOWS\vsnpstd3.exe [2006-09-19 827392]
"tsnpstd3"=L:\WINDOWS\tsnpstd3.exe [2007-03-10 270336]
"SunJavaUpdateSched"=L:\Programmi\File comuni\Java\Java Update\jusched.exe [2010-05-14 248552]
"McAfeeUpdaterUI"=L:\Programmi\McAfee\Common Framework\UdaterUI.exe [2006-12-19 136768]
"ShStatEXE"=L:\Programmi\McAfee\VirusScan Enterprise\SHSTAT.EXE [2007-02-22 112216]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=L:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe [2010-12-20 443728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=L:\WINDOWS\system32\ctfmon.exe [2004-08-19 15360]
"MSMSGS"=L:\Programmi\Messenger\msmsgs.exe [2004-08-19 1667584]
"Babylon Translator"=L:\Programmi\Babylon\Babylon.exe [2001-04-27 1896448]
"Google Update"=L:\Documents and Settings\alx\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-07-29 133104]
"Skype"=L:\Programmi\Skype\Phone\Skype.exe [2010-03-09 26100520]
"SpybotSD TeaTimer"=L:\Programmi\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"AdobeUpdater"=L:\Programmi\File comuni\Adobe\Updater5\AdobeUpdater.exe [2011-03-14 2356088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^alx^Menu Avvio^Programmi^Esecuzione automatica^Check for TWS Updates.lnk]
L:\PROGRA~1\Jts\WiseUpdt.exe [2006-11-08 194775]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
L:\WINDOWS\system32\Ati2evxx.dll [2006-05-03 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - L:\WINDOWS\system32\WPDShServiceObj.dll [2006-08-24 133120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=L:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-26 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"L:\WINDOWS\system32\sessmgr.exe"="L:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"L:\Programmi\Microsoft Office\Office12\GROOVE.EXE"="L:\Programmi\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"L:\Programmi\Microsoft Office\Office12\ONENOTE.EXE"="L:\Programmi\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"L:\Programmi\McAfee\Common Framework\FrameworkService.exe"="L:\Programmi\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"L:\Programmi\ICQ6.5\ICQ.exe"="L:\Programmi\ICQ6.5\ICQ.exe:*:Enabled:ICQ.exe"
"L:\Programmi\Skype\Plugin Manager\skypePM.exe"="L:\Programmi\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"L:\Programmi\Skype\Phone\Skype.exe"="L:\Programmi\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"L:\Programmi\ICQ6.5\ICQ.exe"="L:\Programmi\ICQ6.5\ICQ.exe:*:Enabled:ICQ.exe"

======List of files/folders created in the last 2 months======

2011-03-14 01:08:48 ----D---- L:\Programmi\trend micro
2011-03-14 01:08:40 ----D---- L:\rsit
2011-03-14 00:49:45 ----D---- L:\Documents and Settings\alx\Dati applicazioni\Malwarebytes
2011-03-14 00:49:35 ----A---- L:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-03-14 00:49:34 ----D---- L:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2011-03-14 00:49:30 ----D---- L:\Programmi\Malwarebytes' Anti-Malware
2011-03-14 00:49:30 ----A---- L:\WINDOWS\system32\drivers\mbam.sys
2011-03-13 21:05:22 ----D---- L:\WINDOWS\system32\NtmsData
2011-03-12 10:37:54 ----D---- L:\WINDOWS\ERDNT
2011-03-12 10:35:23 ----D---- L:\Programmi\ERUNT
2011-03-12 02:32:44 ----D---- L:\Programmi\totalcmd
2011-03-12 02:32:44 ----D---- L:\Documents and Settings\alx\Dati applicazioni\GHISLER
2011-03-12 02:32:44 ----A---- L:\WINDOWS\UC.PIF
2011-03-12 02:32:44 ----A---- L:\WINDOWS\RAR.PIF
2011-03-12 02:32:44 ----A---- L:\WINDOWS\PKZIP.PIF
2011-03-12 02:32:44 ----A---- L:\WINDOWS\PKUNZIP.PIF
2011-03-12 02:32:44 ----A---- L:\WINDOWS\NOCLOSE.PIF
2011-03-12 02:32:44 ----A---- L:\WINDOWS\LHA.PIF
2011-03-12 02:32:44 ----A---- L:\WINDOWS\ARJ.PIF
2011-03-12 01:14:55 ----D---- L:\Documents and Settings\alx\Dati applicazioni\Safer Networking
2011-03-09 19:22:45 ----D---- L:\WINDOWS\pss
2011-03-09 01:09:00 ----D---- L:\Documents and Settings\alx\Dati applicazioni\Uniblue
2011-03-08 22:32:39 ----D---- L:\Programmi\CCleaner
2011-03-07 23:01:11 ----D---- L:\Documents and Settings\All Users\Dati applicazioni\TEMP
2011-03-07 22:28:52 ----D---- L:\Programmi\VEXPLite
2011-03-07 21:53:02 ----ASH---- L:\hiberfil.sys
2011-02-27 19:42:22 ----A---- L:\WINDOWS\ib.ini
2011-02-27 19:42:19 ----A---- L:\WINDOWS\GetIe.dll
2011-02-27 19:42:15 ----D---- L:\Programmi\Jts

======List of files/folders modified in the last 2 months======

2011-03-14 01:08:59 ----D---- L:\WINDOWS\Prefetch
2011-03-14 01:08:48 ----RD---- L:\Programmi
2011-03-14 01:08:11 ----D---- L:\Documents and Settings\alx\Dati applicazioni\Skype
2011-03-14 00:49:35 ----D---- L:\WINDOWS\system32\drivers
2011-03-14 00:31:56 ----D---- L:\WINDOWS\Temp
2011-03-14 00:28:41 ----D---- L:\WINDOWS\Internet Logs
2011-03-13 23:40:14 ----SD---- L:\WINDOWS\Tasks
2011-03-13 22:53:46 ----D---- L:\WINDOWS
2011-03-13 22:53:45 ----D---- L:\WINDOWS\system32\CatRoot2
2011-03-13 22:53:41 ----D---- L:\WINDOWS\repair
2011-03-13 22:53:33 ----D---- L:\WINDOWS\Registration
2011-03-13 21:05:22 ----D---- L:\WINDOWS\system32
2011-03-13 21:05:21 ----SD---- L:\Documents and Settings\All Users\Dati applicazioni\Microsoft
2011-03-12 13:17:36 ----D---- L:\Programmi\Babylon
2011-03-12 12:07:47 ----A---- L:\WINDOWS\SchedLgU.Txt
2011-03-12 12:02:51 ----D---- L:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2011-03-10 00:27:21 ----D---- L:\WINDOWS\system32\drivers\etc
2011-03-10 00:06:22 ----D---- L:\Documents and Settings\alx\Dati applicazioni\skypePM
2011-03-09 20:53:04 ----SHD---- L:\WINDOWS\Installer
2011-03-09 20:45:15 ----D---- L:\Programmi\File comuni
2011-03-09 00:47:26 ----D---- L:\WINDOWS\Debug
2011-03-09 00:47:25 ----D---- L:\WINDOWS\Minidump
2011-03-08 20:36:03 ----SD---- L:\WINDOWS\Downloaded Program Files
2011-03-08 20:36:03 ----RSD---- L:\WINDOWS\Fonts
2011-03-07 23:07:24 ----D---- L:\WINDOWS\WinSxS
2011-03-07 21:29:08 ----A---- L:\WINDOWS\UEDIT32.INI
2011-03-07 04:27:09 ----RSHDC---- L:\WINDOWS\system32\dllcache
2011-03-07 01:56:23 ----A---- L:\WINDOWS\Wininit.ini
2011-03-06 19:49:20 ----D---- L:\QUARANTINE
2011-02-17 20:02:38 ----A---- L:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 gagp30kx;Filtro Microsoft AGPv3.0 generico per piattaforme processore K8; L:\WINDOWS\system32\DRIVERS\gagp30kx.sys [2004-08-04 46464]
R0 hotcore3;hotcore3; L:\WINDOWS\system32\drivers\hotcore3.sys [2008-06-25 40368]
R0 RecAgent;RecAgent; L:\WINDOWS\system32\DRIVERS\RecAgent.sys [2004-08-03 13776]
R0 srescan;srescan; L:\WINDOWS\system32\ZoneLabs\srescan.sys [2008-02-27 51176]
R1 AmdK7;Driver del processore AMD K7; L:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-19 41472]
R1 mferkdk;VSCore mferkdk; \??\L:\Programmi\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; L:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R1 Uim_IM;UIM Drive Backup Image Plugin; L:\WINDOWS\System32\Drivers\Uim_IM.sys [2007-11-06 131672]
R1 UimBus;Universal Image Mounter Controller; L:\WINDOWS\system32\DRIVERS\UimBus.sys [2007-11-06 32080]
R1 vsdatant;vsdatant; L:\WINDOWS\System32\vsdatant.sys [2008-07-09 394952]
R3 Afc;PPdus ASPI Shell; L:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 ati2mtag;ati2mtag; L:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-05-03 1540608]
R3 cmuda;C-Media WDM Audio Interface; L:\WINDOWS\system32\drivers\cmuda.sys [2003-08-20 740992]
R3 hidusb;Driver di classe HID Microsoft; L:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-19 9600]
R3 mfeapfk;McAfee Inc.; L:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; L:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; L:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; L:\WINDOWS\system32\drivers\mfehidk.sys [2007-02-22 170408]
R3 MODEMCSA;Periferica filtro flusso Unimodem; L:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Driver di mouse HID; L:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-19 12160]
R3 Mtlmnt5;Mtlmnt5; L:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2004-08-03 126686]
R3 rtl8139;Driver NT scheda Fast Ethernet PCI Realtek basata su RTL8139; L:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SISNIC;Driver per scheda Fast Ethernet PCI SiS; L:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 Slntamr;Smart Link 56K Modem Driver; L:\WINDOWS\system32\DRIVERS\slntamr.sys [2004-08-03 404990]
R3 SlWdmSup;SlWdmSup; L:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2004-08-03 13240]
R3 SNPSTD3;USB PC Camera (SNPSTD3); L:\WINDOWS\system32\DRIVERS\snpstd3.sys [2007-03-26 10252544]
R3 USBSTOR;Driver archiviazione di massa USB; L:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 CCDECODE;Decoder sottotitoli codificati; L:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 MSTEE;Convertitore a T/Sito a sito per flusso Microsoft; L:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 Mtlstrm;Mtlstrm; L:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2004-08-03 1309184]
S3 NABTSFEC;NABTS/FEC VBI Codec; L:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Connesione TV/Video Microsoft; L:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NtMtlFax;NtMtlFax; L:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2004-08-03 180360]
S3 SLIP;BDA Slip De-Framer; L:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SlNtHal;SlNtHal; L:\WINDOWS\system32\DRIVERS\Slnthal.sys [2004-08-03 95424]
S3 streamip;BDA IPSink; L:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbscan;Driver scanner USB; L:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WSTCODEC;Codec World Standard Teletext; L:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 WS2IFSL;Ambiente di supporto del provider del Servizio Non-IFS di Windows Socket 2.0; L:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-19 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; L:\WINDOWS\system32\Ati2evxx.exe [2006-05-03 413696]
R2 ICQ Service;ICQ Service; L:\Programmi\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]
R2 JavaQuickStarterService;Java Quick Starter; L:\Programmi\Java\jre6\bin\jqs.exe [2010-09-15 153376]
R2 McAfeeFramework;McAfee Framework Service; L:\Programmi\McAfee\Common Framework\FrameworkService.exe [2006-12-19 104000]
R2 McShield;McAfee McShield; L:\Programmi\McAfee\VirusScan Enterprise\Mcshield.exe [2007-02-22 144960]
R2 McTaskManager;McAfee Task Manager; L:\Programmi\McAfee\VirusScan Enterprise\VsTskMgr.exe [2007-02-22 54872]
R2 SLService;SmartLinkService; L:\WINDOWS\system32\slserv.exe [2004-08-19 73796]
S2 ATI Smart;ATI Smart; L:\WINDOWS\system32\ati2sgag.exe [2006-05-03 520192]
S2 vsmon;TrueVector Internet Monitor; L:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
S3 aspnet_state;ASP.NET State Service; L:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; l:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; L:\Programmi\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-26 65824]
S3 odserv;Microsoft Office Diagnostics Service; L:\Programmi\File comuni\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; L:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

in next reply the content of info.txt; the computer is apparently performing well (like before)

spybotalx

2011-03-14, 01:51

Hi and welcome to Safer Networking Forums.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.

The instructions being given are for YOUR computer and system only!.
Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
If you don't know or understand something, please don't hesitate to ask.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
Absence of symptoms does not mean that everything is clear.
Please DO NOT run any other tools or scans whilst I am helping you.
Please DO NOT install any other software (or hardware) during the cleaning process.
Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic READ this Procedure BEFORE Requesting Assistance (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.

Because of this, I advise you to backup any personal files and folders before you start.
Backup Made Easy - XP (http://www.microsoft.com/windowsxp/using/setup/learnmore/bott_03july14.mspx)
How to backup your data - Vista (http://www.vista4beginners.com/How-to-backup-your-data)
Backup your data - windows 7 (http://support.microsoft.com/kb/971759)

See if you can run the below scans.

Please download RogueKiller.exe (http://tigzy.geekstogo.com/Tools/RogueKiller.exe) and save it to your desktop.

Now quit all running programs.
Double click RogueKiller.exe to run it.
When prompted, type 1 and hit Enter.
A RKreport.txt should appear on your desktop.
Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
Please post the contents of the RKreport.txt in your next Reply.

Next.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

RSIT (Random's System Information Tool)

Please download RSIT (http://images.malwareremoval.com/random/RSIT.exe) by random/random... and save it to your desktop.

Double click on RSIT.exe to run it.
Please read the disclaimer... click on Continue.
RSIT will start running. When done... 2 logs files...will be produced.
The first one, "log.txt", << will be maximized
The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)

Logs/Information to Post in your Next Reply

RKreport.txt.
Malwarebytes log.
RSIT log.txt and info.txt contents.
Please give me an update on how your computer is performing.

info.txt content:

info.txt logfile of random's system information tool 1.08 2011-03-14 01:09:57

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 L:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->L:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->L:\WINDOWS\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -maintain plugin
Adobe Reader 8.1.2 - Italiano-->MsiExec.exe /I{AC76BA86-7AD7-1040-7B44-A81200000003}
ATI Display Driver-->rundll32 L:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Babylon-->L:\WINDOWS\uninstbb.exe
CCleaner-->"L:\Programmi\CCleaner\uninst.exe"
C-Media 3D Audio-->L:\WINDOWS\CMIUnInstall.exe
Cool Edit 2000-->L:\Programmi\Cool2000\ce2Kunin.exe
DivX 5.0 Bundle-->L:\WINDOWS\unvise32.exe L:\Programmi\DivX\uninstal.log
eMule-->"L:\Programmi\eMule\Uninstall.exe"
ERUNT 1.1j-->L:\Programmi\ERUNT\unins000.exe
Express Rip-->L:\Programmi\NCH Swift Sound\ExpressRip\uninst.exe
GlobalEnglish Learning Technology-->MsiExec.exe /X{E3E7B3FC-23BD-45A0-B0A6-6621B15BE540}
GOM Player-->"L:\Programmi\GRETECH\GomPlayer\Uninstall.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
ICQ Toolbar-->L:\Programmi\ICQ6Toolbar\ICQUnToolbar.exe
ICQ6.5-->"L:\Programmi\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 22-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Java(TM) 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Malwarebytes' Anti-Malware-->"L:\Programmi\Malwarebytes' Anti-Malware\unins000.exe"
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Office Access MUI (Italian) 2007-->MsiExec.exe /X{90120000-0015-0410-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"L:\Programmi\File comuni\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Italian) 2007-->MsiExec.exe /X{90120000-0016-0410-0000-0000000FF1CE}
Microsoft Office Groove MUI (Italian) 2007-->MsiExec.exe /X{90120000-00BA-0410-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Italian) 2007-->MsiExec.exe /X{90120000-0044-0410-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Italian) 2007-->MsiExec.exe /X{90120000-00A1-0410-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Italian) 2007-->MsiExec.exe /X{90120000-001A-0410-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Italian) 2007-->MsiExec.exe /X{90120000-0018-0410-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Italian) 2007-->MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE}
Microsoft Office Proofing (Italian) 2007-->MsiExec.exe /X{90120000-002C-0410-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Italian) 2007-->MsiExec.exe /X{90120000-0019-0410-0000-0000000FF1CE}
Microsoft Office Shared MUI (Italian) 2007-->MsiExec.exe /X{90120000-006E-0410-0000-0000000FF1CE}
Microsoft Office Word MUI (Italian) 2007-->MsiExec.exe /X{90120000-001B-0410-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Text-to-Speech Engine 4.0 (English)-->RunDll32 advpack.dll,LaunchINFSection L:\WINDOWS\INF\msTTSf22.inf, Uninstall
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mihov Image Resizer (remove only)-->"L:\Programmi\Mihov Image Resizer\Uninstall.exe"
Mozilla Firefox (3.6.10)-->L:\Programmi\Mozilla Firefox\uninstall\helper.exe
MPEG2 Codec(libmpeg2/mad)-->"L:\Programmi\GNU\MPEG2\Uninstall.exe"
Nero 6 Ultra Edition-->L:\Programmi\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nimo Codecs Pack v5.0 (Remove Only)-->"L:\Programmi\NimoCodec Pack\uninstall.exe"
Paragon Drive Backup 8.51 Professional Trial-->RunDll32 L:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "L:\Programmi\InstallShield Installation Information\{D155D300-C235-44FC-981C-F7B34683439C}\Setup.exe" -l0x9
Paragon Partition Manager 9.0 Personal Trial-->RunDll32 L:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "L:\Programmi\InstallShield Installation Information\{49CC1A6A-3A1A-4EE7-913F-8106B51B59D1}\Setup.exe" -l0x9
Quite Universal Circuit Simulator 0.0.15 binary package for Win-->"L:\Programmi\Qucs\unins000.exe"
SAMSUNG Intelli-studio-->"L:\Programmi\SAMSUNG\Intelli-studio\uninstall.exe"
Skype™ 4.2-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Sothink FLV Player-->"L:\Programmi\File comuni\SourceTec\Sothink FLV Player\unins000.exe"
Spybot - Search & Destroy 1.3-->"L:\Programmi\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy-->"L:\Programmi\Spybot - Search & Destroy\unins001.exe"
Total Commander (Remove or Repair)-->L:\Programmi\totalcmd\tcuninst.exe
Trader Workstation 4.0-->L:\PROGRA~1\Jts\UNWISE.EXE L:\PROGRA~1\Jts\INSTALL.LOG
Trust Webcam 15082-02-->L:\Programmi\InstallShield Installation Information\{ECD03DA7-5952-406A-8156-5F0C93618D1F}\setup.exe -runfromtemp -l0x0010 -removeonly
UltraEdit-32 Uninstall-->L:\PROGRA~1\ULTRAE~1\UEDIT32.EXE /UNINSTALL
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VideoLAN VLC media player 0.8.6i-->L:\Programmi\VideoLAN\VLC\uninstall.exe
Windows Installer 3.1 (KB893803)-->"L:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"L:\Programmi\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"L:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR gestione archivi-->L:\Programmi\WinRAR\uninstall.exe
WinZip 11.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
ZoneAlarm Spy Blocker-->rundll32 L:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O
ZoneAlarm-->L:\Programmi\Zone Labs\ZoneAlarm\zauninst.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: McAfee VirusScan Enterprise (disabled)
FW: ZoneAlarm Firewall (disabled)

======System event log======

Computer Name: ALEPC
Event Code: 8033
Message: L'elenco ha imposto un'elezione sulla rete \Device\NetBT_Tcpip_{8E1D8D2F-4EFD-4714-80A7-D409F75FACD2} perché il master si è arrestato.

Record Number: 7693
Source Name: BROWSER
Time Written: 20101005005939.000000+120
Event Type: Informazione
User:

Computer Name: ALEPC
Event Code: 4202
Message: Il sistema ha rilevato che la scheda di rete \DEVICE\TCPIP_{8E1D8D2F-4EFD-4714-80A7-D409F75FACD2} è disconnessa dalla rete,
e la configurazione della scheda di rete è stata rilasciata. Se la scheda
di rete non è disconnessa, ciò potrebbe essere dovuto a un suo malfunzionamento.
Contattare il fornitore per ottenere dei driver aggiornati.

Record Number: 7692
Source Name: Tcpip
Time Written: 20101005005935.000000+120
Event Type: Informazione
User:

Computer Name: ALEPC
Event Code: 7036
Message: Il servizio Acquisizione di immagini di Windows (WIA) è ora in modalità esecuzione.

Record Number: 7691
Source Name: Service Control Manager
Time Written: 20101004162311.000000+120
Event Type: Informazione
User:

Computer Name: ALEPC
Event Code: 4201
Message: Il sistema ha rilevato che la scheda di rete \DEVICE\TCPIP_{8E1D8D2F-4EFD-4714-80A7-D409F75FACD2} è connessa alla rete,
e ha iniziato le normali operazioni sulla scheda di rete.

Record Number: 7690
Source Name: Tcpip
Time Written: 20101004162255.000000+120
Event Type: Informazione
User:

Computer Name: ALEPC
Event Code: 8033
Message: L'elenco ha imposto un'elezione sulla rete \Device\NetBT_Tcpip_{8E1D8D2F-4EFD-4714-80A7-D409F75FACD2} perché il master si è arrestato.

Record Number: 7689
Source Name: BROWSER
Time Written: 20101004153135.000000+120
Event Type: Informazione
User:

=====Application event log=====

Computer Name: ALEPC
Event Code: 100
Message: wuauclt (1552) Motore del database 5.01.2600.2180 avviato.

Record Number: 2873
Source Name: ESENT
Time Written: 20100316202358.000000+060
Event Type: Informazione
User:

Computer Name: ALEPC
Event Code: 20
Message:
Record Number: 2872
Source Name: Google Update
Time Written: 20100316061505.000000+060
Event Type: Errore
User: ALEPC\alx

Computer Name: ALEPC
Event Code: 20
Message:
Record Number: 2871
Source Name: Google Update
Time Written: 20100316051505.000000+060
Event Type: Errore
User: ALEPC\alx

Computer Name: ALEPC
Event Code: 20
Message:
Record Number: 2870
Source Name: Google Update
Time Written: 20100316041506.000000+060
Event Type: Errore
User: ALEPC\alx

Computer Name: ALEPC
Event Code: 20
Message:
Record Number: 2869
Source Name: Google Update
Time Written: 20100316031505.000000+060
Event Type: Errore
User: ALEPC\alx

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0602
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8
"VSEDEFLOGDIR"=L:\Documents and Settings\All Users\Dati applicazioni\McAfee\DesktopProtection
"DEFLOGDIR"=L:\Documents and Settings\All Users\Dati applicazioni\McAfee\DesktopProtection

-----------------EOF-----------------

Cypher

2011-03-14, 11:43

Hi spybotalx.

First of all thanks for helping me.
You're welcome.

Remove P2P Programs

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

eMule

Please read the Guidelines for P2P Programs (http://forums.spybot.info/showthread.php?t=282) where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Click on start
Then Run
In the open text entry box please copy/paste appwiz.cpl Then click enter.
Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
While you are in Add/remove programs uninstall the following also.

J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 6
Next.

Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in the window.
Save this file and copy/paste it in your next reply.
Next.

Run CKScanner

Please download CKScanner from Here (http://downloads.malwareremoval.com/CKScanner.exe)
Important: - Save it to your desktop.
Double-click CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Logs/Information to Post in your Next Reply

MGADiag log.
CKFiles.txt.

spybotalx

2011-03-15, 02:15

Hi spybotalx.

You're welcome.

Remove P2P Programs

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please read the Guidelines for P2P Programs (http://forums.spybot.info/showthread.php?t=282) where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Click on start
Then Run
In the open text entry box please copy/paste appwiz.cpl Then click enter.
Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
While you are in Add/remove programs uninstall the following also.

Next.

Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in the window.
Save this file and copy/paste it in your next reply.
Next.

Run CKScanner

Please download CKScanner from Here (http://downloads.malwareremoval.com/CKScanner.exe)
Important: - Save it to your desktop.
Double-click CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Logs/Information to Post in your Next Reply

MGADiag log.
CKFiles.txt.

MGADiag.log content

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-VR7RV-J86YQ-4Y6WB
Windows Product Key Hash: zxRgFrJjWYvFtpH9cwlnRfxeqhg=
Windows Product ID: 76435-OEM-2251074-46408
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {D6D2E552-B142-48CA-94D6-AF72A356AEC0}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2ee7_E2AD56EA-148-80004005_16E0B333-89-80004005_78155E4D-232-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 103 Blocked VLK
Microsoft Office Enterprise 2007 - 103 Blocked VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: L:\Documents and Settings\alx\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{D6D2E552-B142-48CA-94D6-AF72A356AEC0}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4Y6WB</PKey><PID>76435-OEM-2251074-46408</PID><PIDType>3</PIDType><SID>S-1-5-21-1645522239-1214440339-682003330</SID><SYSTEM><Manufacturer>SiS</Manufacturer><Model>K7S8XE+ </Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.20</Version><SMBIOSVersion major="2" minor="3"/><Date>20031020000000.000000+000</Date></BIOS><HWID>1F71321F0184A059</HWID><UserLCID>0410</UserLCID><SystemLCID>0410</SystemLCID><TimeZone>ora solare Europa occidentale(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65792</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

CKFiles.txt content

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

Cypher

2011-03-15, 11:18

Hi spybotalx.

The Microsoft Office Enterprise 2007 on your computer is a non-genuine copy. It was installed with a now blocked Volume Licensing Key (VLK) that was valid and only available to corporations, education entities and government agencies. VLKs are blocked by Microsoft at the request and consent of the original keyholder for such reasons as the key was lost, stolen, compromised, misused, or expired. Also, Microsoft may have blocked the key if it notices a pattern of misuse, that is more installations of XP using that key than authorized.
A VL Product Key is non-transferable to individuals.

Please read Illegal copies of software (http://forums.spybot.info/showpost.php?p=25290&postcount=4)
If you still want help, please remove the illegal items from your computer, and if you still need the softwares, get legal ones from legitimate sources.
If you advised that the illegal softwares have been removed and I find it otherwise (the tools we use can and will detect them), then I will have no choice but to have this topic closed.
If there are more such new findings after this, the topic will also be closed.

You may return to the seller to demand for a replacement with a genuine copy or get a full refund. Have a read Here (http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en#ID0EKNAC) to see if you qualify for Genuince Office Offer.

Next.

Please visit This website (http://www.microsoft.com/genuine/validate/ValidateNow.aspx?displaylang=en) using Internet Explorer.
Follow the instructions to Validate Windows, then run MGADiag.exe again and post the new log in your next reply.

Cypher

2011-03-18, 12:29

This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send your helper a private message (pm). A valid, working link to the closed topic is required.