Ancyc1
2012-02-08, 14:59
I have tried to delete all the cookies from all by browsers, but on reboot the Symantec antivirus keeps telling me there is a tracker cookie (and removes it)... this has been going on for a few days.
Thank you in advance.
Andy
Here are my logs
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by gcicogna at 13:17:34 on 2012-02-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.39.1040.18.3024.1113 [GMT 1:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\AirPrint\Airprint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\EPSON Projector\EMP NS Connection V2\EMP_NSWLSV.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\Installer\MSIF8E7.tmp
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Dell\Dell WWAN\WMCore\mini_WMCore.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\FMAudit, LLC\FMAudit Agent\fmaagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = 1.0.7.*;5.139.99.*;192.168.1.*;127.0.0.*;172.16.11.*;169.254.1.*;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\bh\BabylonToolbar.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\BabylonToolbarTlbr.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\gcicogna\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarsrv.exe" /md I
mRun: [IndexTray] "c:\program files\sharp\sharpdesk\IndexTray.exe"
mRun: [Indexer] "c:\program files\sharp\sharpdesk\Indexer.exe"
mRun: [TypeRegChecker] "c:\program files\sharp\sharpdesk\TypeRegChecker.exe"
mRun: [SharpTray] "c:\program files\sharp\sharpdesk\SharpTray.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [B Register c:\program files\divx\divx plus web player\ie\divxhtml5\divxhtml5.dll] "c:\windows\system32\rundll32.exe" "c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll",DllRegisterServer
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gestio~1.lnk - c:\program files\microsoft firewall client 2004\FwcMgmt.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: I&nvia a OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Invia immagine alla periferica &Bluetooth... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Invia pagina alla periferica &Bluetooth... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\program files\microsoft firewall client 2004\FwcWsp.dll
TCP: Interfaces\{0DE98743-8C29-4048-90A4-B2D3AD839057} : DhcpNameServer = 172.16.11.17 172.16.11.10
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8} : DhcpNameServer = 192.168.0.250
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8}\64143545755424D213D2338323239344648333543303 : DhcpNameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8}\8627563656074796F6E6 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8}\97F6E64616C656 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{8F3A88DF-9453-48DB-8FD1-5DC60F8C7E1D} : NameServer = 83.224.70.93 83.224.66.134
TCP: Interfaces\{B7CCB5CC-86A0-464D-B0DE-44F3CC707720} : NameServer = 172.16.11.10 172.16.11.17
TCP: Interfaces\{B7CCB5CC-86A0-464D-B0DE-44F3CC707720} : DhcpNameServer = 172.16.11.17 172.16.11.10
TCP: Interfaces\{EC6EB7C7-DE7A-4B5E-ACAF-34878DC3E084} : DhcpNameServer = 83.224.66.138 83.224.65.143
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AirPrint;AirPrint;c:\program files\airprint\airprint.exe -s --> c:\program files\airprint\Airprint.exe -s [?]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-3-24 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-3-24 27040]
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\ibm\sqllib\bin\db2mgmtsvc.exe [2009-5-16 38688]
R2 EMP_NSWLSV;EMP_NSWLSV;c:\program files\epson projector\emp ns connection v2\EMP_NSWLSV.exe [2010-2-2 98304]
R2 FMAuditAgent;FMAudit Agent;c:\program files\fmaudit, llc\fmaudit agent\fmaagent.exe [2009-5-5 340992]
R2 FwcAgent;Agente client firewall;c:\program files\microsoft firewall client 2004\FwcAgent.exe [2006-12-9 128832]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-2 1373576]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-8 652360]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-11-25 687400]
R2 SPDFToolsReadSpool;SolidPDFToolsCreatorReadSpool;c:\windows\installer\MSIF8E7.tmp [2010-3-30 189760]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-1-19 3027840]
R2 WMCoreService;Mobile Broadband Core Service;c:\program files\dell\dell wwan\wmcore\mini_WMCore.exe [2009-9-24 430080]
R3 acpials;Filtro sensore luce ambientale;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2009-11-3 33832]
R3 d554gps;Dell Wireless HSPA Mini-Card GPS Port;c:\windows\system32\drivers\d554gps.sys [2010-1-19 82984]
R3 d557bus;Dell Wireless 5540 HSPA Mini-Card Device (Win7);c:\windows\system32\drivers\d557bus.sys [2010-2-19 285056]
R3 d557mdfl;Dell Wireless 5540 HSPA Mini-Card Modem Filter (Win7);c:\windows\system32\drivers\d557mdfl.sys [2009-6-29 14848]
R3 d557mdm;Dell Wireless 5540 HSPA Mini-Card Modem (Win7);c:\windows\system32\drivers\d557mdm.sys [2010-2-19 374016]
R3 d557mgmt;Dell Wireless 5540 HSPA Mini-Card Device Management (Win7);c:\windows\system32\drivers\d557mgmt.sys [2010-2-19 357248]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]
R3 ecnssndis;Service for enabling selective suspend to NDIS device;c:\windows\system32\drivers\wwanuss.sys [2010-2-19 10240]
R3 ecnssndisfltr;SSNDIS filter service;c:\windows\system32\drivers\wwanussf.sys [2010-2-19 14848]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-3 106104]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-23 122368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-8 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-8 40776]
R3 NETw5s32;Driver scheda Intel(R) Wireless WiFi Link per Windows 7 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-6-3 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-9-18 277440]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 WwanUsbServ;Ericsson WWAN Wireless Module Device Driver;c:\windows\system32\drivers\WwanUsbMp.sys [2010-2-19 216616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Servizio di Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-22 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-1-23 29472]
S3 EP_NSDG;EP_NSDG;c:\windows\system32\drivers\EP_NSDG.sys [2010-1-29 3600]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2008-9-5 59648]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2008-9-8 105984]
S3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [2008-9-8 18816]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2008-7-17 8064]
S3 gupdatem;Servizio Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-22 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 netw5v32;Driver scheda Intel(R) Wireless WiFi Link serie 5000 per Windows Vista a 32 bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 OA001Srv;Creative OA001 RunApp Service;c:\windows\system32\OA001Srv.exe [2008-8-20 24576]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-12-4 131888]
S3 StorSvc;Servizio di archiviazione;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-11-30 25088]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-12 52224]
S3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-26 1343400]
S3 WSDPrintDevice;Supporto stampa WSD via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]
.
=============== Created Last 30 ================
.
2012-02-08 11:09:39 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-08 10:29:04 -------- d-----w- C:\FyK
2012-02-08 10:24:47 -------- d-----w- c:\users\gcicogna\appdata\roaming\Malwarebytes
2012-02-08 10:24:35 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 10:24:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-08 10:24:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-07 17:06:11 -------- d-----w- c:\program files\LogMeIn Hamachi
2012-02-06 17:03:02 -------- d-----w- c:\program files\AZPR
2012-02-05 13:37:46 -------- d-----w- c:\program files\Microsoft Money Plus
2012-01-31 10:36:05 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-31 10:36:05 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-31 10:36:05 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-31 10:36:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-31 10:36:04 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-31 10:36:04 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-31 10:36:04 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-31 10:36:04 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-31 10:36:04 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-31 10:36:04 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-30 20:01:28 -------- d-----w- c:\program files\SpeedFan
2012-01-26 14:43:14 -------- d-----w- c:\program files\iPod
2012-01-26 14:43:13 -------- d-----w- c:\program files\iTunes
2012-01-11 13:56:22 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 13:56:21 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 13:56:19 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 13:56:19 1328128 ----a-w- c:\windows\system32\quartz.dll
.
==================== Find3M ====================
.
2011-11-28 08:07:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: SAMSUNG_ rev.VBM2 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82E00000]<< >>UNKNOWN [0x8BCB3000]<< >>UNKNOWN [0x8BCA2000]<< >>UNKNOWN [0x8B61D000]<< >>UNKNOWN [0x842A9000]<< >>UNKNOWN [0x83212000]<< >>UNKNOWN [0x85B10938]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x82E3752A] -> \Device\Harddisk0\DR0[0x86B27948]
\Driver\Disk[0x86B264F8] -> IRP_MJ_CREATE -> 0x8BCB739F
3 [0x8BCB759E] -> ntkrnlpa!IofCallDriver[0x82E3752A] -> \Device\Ide\IAAStorageDevice-1[0x86111028]
\Driver\iaStor[0x86090BD0] -> IRP_MJ_CREATE -> 0x8B667390
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
copy of MBR has been found in sector 19 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:18:06,91 ===============
Thank you in advance.
Andy
Here are my logs
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by gcicogna at 13:17:34 on 2012-02-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.39.1040.18.3024.1113 [GMT 1:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\AirPrint\Airprint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\EPSON Projector\EMP NS Connection V2\EMP_NSWLSV.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\Installer\MSIF8E7.tmp
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Dell\Dell WWAN\WMCore\mini_WMCore.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\FMAudit, LLC\FMAudit Agent\fmaagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = 1.0.7.*;5.139.99.*;192.168.1.*;127.0.0.*;172.16.11.*;169.254.1.*;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\bh\BabylonToolbar.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\BabylonToolbarTlbr.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\gcicogna\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarsrv.exe" /md I
mRun: [IndexTray] "c:\program files\sharp\sharpdesk\IndexTray.exe"
mRun: [Indexer] "c:\program files\sharp\sharpdesk\Indexer.exe"
mRun: [TypeRegChecker] "c:\program files\sharp\sharpdesk\TypeRegChecker.exe"
mRun: [SharpTray] "c:\program files\sharp\sharpdesk\SharpTray.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [B Register c:\program files\divx\divx plus web player\ie\divxhtml5\divxhtml5.dll] "c:\windows\system32\rundll32.exe" "c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll",DllRegisterServer
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gestio~1.lnk - c:\program files\microsoft firewall client 2004\FwcMgmt.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: I&nvia a OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Invia immagine alla periferica &Bluetooth... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Invia pagina alla periferica &Bluetooth... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\program files\microsoft firewall client 2004\FwcWsp.dll
TCP: Interfaces\{0DE98743-8C29-4048-90A4-B2D3AD839057} : DhcpNameServer = 172.16.11.17 172.16.11.10
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8} : DhcpNameServer = 192.168.0.250
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8}\64143545755424D213D2338323239344648333543303 : DhcpNameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8}\8627563656074796F6E6 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{71B7BCDD-7154-4B65-BA3F-AD6C731358D8}\97F6E64616C656 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{8F3A88DF-9453-48DB-8FD1-5DC60F8C7E1D} : NameServer = 83.224.70.93 83.224.66.134
TCP: Interfaces\{B7CCB5CC-86A0-464D-B0DE-44F3CC707720} : NameServer = 172.16.11.10 172.16.11.17
TCP: Interfaces\{B7CCB5CC-86A0-464D-B0DE-44F3CC707720} : DhcpNameServer = 172.16.11.17 172.16.11.10
TCP: Interfaces\{EC6EB7C7-DE7A-4B5E-ACAF-34878DC3E084} : DhcpNameServer = 83.224.66.138 83.224.65.143
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AirPrint;AirPrint;c:\program files\airprint\airprint.exe -s --> c:\program files\airprint\Airprint.exe -s [?]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-3-24 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-3-24 27040]
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\ibm\sqllib\bin\db2mgmtsvc.exe [2009-5-16 38688]
R2 EMP_NSWLSV;EMP_NSWLSV;c:\program files\epson projector\emp ns connection v2\EMP_NSWLSV.exe [2010-2-2 98304]
R2 FMAuditAgent;FMAudit Agent;c:\program files\fmaudit, llc\fmaudit agent\fmaagent.exe [2009-5-5 340992]
R2 FwcAgent;Agente client firewall;c:\program files\microsoft firewall client 2004\FwcAgent.exe [2006-12-9 128832]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-2 1373576]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-8 652360]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-11-25 687400]
R2 SPDFToolsReadSpool;SolidPDFToolsCreatorReadSpool;c:\windows\installer\MSIF8E7.tmp [2010-3-30 189760]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-1-19 3027840]
R2 WMCoreService;Mobile Broadband Core Service;c:\program files\dell\dell wwan\wmcore\mini_WMCore.exe [2009-9-24 430080]
R3 acpials;Filtro sensore luce ambientale;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2009-11-3 33832]
R3 d554gps;Dell Wireless HSPA Mini-Card GPS Port;c:\windows\system32\drivers\d554gps.sys [2010-1-19 82984]
R3 d557bus;Dell Wireless 5540 HSPA Mini-Card Device (Win7);c:\windows\system32\drivers\d557bus.sys [2010-2-19 285056]
R3 d557mdfl;Dell Wireless 5540 HSPA Mini-Card Modem Filter (Win7);c:\windows\system32\drivers\d557mdfl.sys [2009-6-29 14848]
R3 d557mdm;Dell Wireless 5540 HSPA Mini-Card Modem (Win7);c:\windows\system32\drivers\d557mdm.sys [2010-2-19 374016]
R3 d557mgmt;Dell Wireless 5540 HSPA Mini-Card Device Management (Win7);c:\windows\system32\drivers\d557mgmt.sys [2010-2-19 357248]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]
R3 ecnssndis;Service for enabling selective suspend to NDIS device;c:\windows\system32\drivers\wwanuss.sys [2010-2-19 10240]
R3 ecnssndisfltr;SSNDIS filter service;c:\windows\system32\drivers\wwanussf.sys [2010-2-19 14848]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-3 106104]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-23 122368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-8 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-8 40776]
R3 NETw5s32;Driver scheda Intel(R) Wireless WiFi Link per Windows 7 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-6-3 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-9-18 277440]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 WwanUsbServ;Ericsson WWAN Wireless Module Device Driver;c:\windows\system32\drivers\WwanUsbMp.sys [2010-2-19 216616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Servizio di Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-22 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-1-23 29472]
S3 EP_NSDG;EP_NSDG;c:\windows\system32\drivers\EP_NSDG.sys [2010-1-29 3600]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2008-9-5 59648]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2008-9-8 105984]
S3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [2008-9-8 18816]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2008-7-17 8064]
S3 gupdatem;Servizio Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-22 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 netw5v32;Driver scheda Intel(R) Wireless WiFi Link serie 5000 per Windows Vista a 32 bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 OA001Srv;Creative OA001 RunApp Service;c:\windows\system32\OA001Srv.exe [2008-8-20 24576]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-12-4 131888]
S3 StorSvc;Servizio di archiviazione;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-11-30 25088]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-12 52224]
S3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-26 1343400]
S3 WSDPrintDevice;Supporto stampa WSD via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]
.
=============== Created Last 30 ================
.
2012-02-08 11:09:39 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-08 10:29:04 -------- d-----w- C:\FyK
2012-02-08 10:24:47 -------- d-----w- c:\users\gcicogna\appdata\roaming\Malwarebytes
2012-02-08 10:24:35 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 10:24:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-08 10:24:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-07 17:06:11 -------- d-----w- c:\program files\LogMeIn Hamachi
2012-02-06 17:03:02 -------- d-----w- c:\program files\AZPR
2012-02-05 13:37:46 -------- d-----w- c:\program files\Microsoft Money Plus
2012-01-31 10:36:05 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-31 10:36:05 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-31 10:36:05 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-31 10:36:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-31 10:36:04 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-31 10:36:04 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-31 10:36:04 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-31 10:36:04 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-31 10:36:04 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-31 10:36:04 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-30 20:01:28 -------- d-----w- c:\program files\SpeedFan
2012-01-26 14:43:14 -------- d-----w- c:\program files\iPod
2012-01-26 14:43:13 -------- d-----w- c:\program files\iTunes
2012-01-11 13:56:22 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 13:56:21 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 13:56:19 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 13:56:19 1328128 ----a-w- c:\windows\system32\quartz.dll
.
==================== Find3M ====================
.
2011-11-28 08:07:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: SAMSUNG_ rev.VBM2 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82E00000]<< >>UNKNOWN [0x8BCB3000]<< >>UNKNOWN [0x8BCA2000]<< >>UNKNOWN [0x8B61D000]<< >>UNKNOWN [0x842A9000]<< >>UNKNOWN [0x83212000]<< >>UNKNOWN [0x85B10938]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x82E3752A] -> \Device\Harddisk0\DR0[0x86B27948]
\Driver\Disk[0x86B264F8] -> IRP_MJ_CREATE -> 0x8BCB739F
3 [0x8BCB759E] -> ntkrnlpa!IofCallDriver[0x82E3752A] -> \Device\Ide\IAAStorageDevice-1[0x86111028]
\Driver\iaStor[0x86090BD0] -> IRP_MJ_CREATE -> 0x8B667390
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
copy of MBR has been found in sector 19 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:18:06,91 ===============