www.MegaLab.it

da **Alcatosto** » gio nov 03, 2011 10:34 pm

Come da titolo sto tentando di sistemare il pc di mio fratello ed è totalmente massacrato.
Premetto che era un pc portatile senza antivirus e niente con windows XP, di segutio l'elenco di ciò che ho fatto:
-AVG: Diversi problemi ma sembrerebbero risolti.
-Malwarebites: 17 problemi risolti ma ora che sto rifacendo la scansione li ha ritrovati.
-Superantispyware: Diversi problemi che sembrano risolti.
-Gmer: Sta girando ora ma ha già trovato problemi.
-Hijackthis: Log messo sul sito loro e ho risolto molti problemi.
-Ccleaner: 2702mb di file temporanei, 350 e oltre problemi nel registro.
-Combofix: ancora non eseguito

In attesa di postare il log di Malwarebites, Gmer e Hijack devo fare qualcos'altro o posso aspettare che finiscono questi software ?

Grazie a chi deciderà di aiutarmi in questo lungo percorso -.- !
Ciao

da **eugenio19911** » gio nov 03, 2011 10:52 pm

potresti valutare con altri 2 software se è rimasto qualcosa:
http://www.surfright.nl/en/hitmanpro
http://www.emsisoft.it/it/software/anti ... ntimalware
Data la alta presenza di infezioni un format?
magari recuperando i dati necessari con un live cd unix (per intenderci ad esempio ubuntu)
A te la scelta [std]

da **Alcatosto** » gio nov 03, 2011 11:44 pm

Intanto il log di Hijackthis e Gmer !

-Hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23.19.28, on 03/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Programmi\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programmi\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Programmi\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\DellTPad\Apoint.exe
C:\Programmi\IDT\WDM\sttray.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BtTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Programmi\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Programmi\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Programmi\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Programmi\AVG\AVG2012\avgtray.exe
C:\Programmi\SUPERAntiSpyware\SASCORE.EXE
C:\Programmi\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DellTPad\ApMsgFwd.exe
C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Programmi\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\AQ\supdate.exe
C:\Programmi\DellTPad\Apntex.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmi\DellTPad\HidFind.exe
C:\Programmi\AVG\AVG2012\avgwdsvc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\igfxext.exe
C:\Programmi\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Programmi\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\AVG\AVG2012\avgnsx.exe
C:\Programmi\Intel\WiFi\bin\EvtEng.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Nero\Update\NASvc.exe
C:\Programmi\File comuni\Intel\WirelessCommon\RegSrvc.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Programmi\File comuni\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmi\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\marco\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\marco\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\marco\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\marco\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\marco\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\marco\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\marco\Desktop\Manutenzione pc\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG2012\avgssie.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programmi\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programmi\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmi\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DellControlPoint] "C:\Programmi\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [USCService] C:\Programmi\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [DellConnectionManager] "C:\Programmi\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Programmi\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Programmi\AVG Secure Search\vprot.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Programmi\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O4 - Global Startup: SIDA.Connect.lnk = C:\AQ\supdate.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ShopperReports - Compare product prices - {DB38E21A-0133-419d-92AD-ECDFD5244D6D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ShopperReports - Compare travel rates - {EB620C54-E229-4942-87CE-E717109FC8C6} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D65AAFAC-15B5-4A70-95E2-FD4F75CD7F66}: NameServer = 193.70.192.25,193.70.152.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD0A279B-FF90-4107-8264-FE6819FC1BD6}: NameServer = 193.70.192.25,193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 193.70.152.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 193.70.152.15
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG2012\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Programmi\File comuni\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Programmi\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Programmi\Fingerprint Sensor\AtService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Programmi\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Programmi\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Programmi\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FME License Server - Macrovision Corporation - C:\Programmi\FlexServer\\lmgrd.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: @C:\Programmi\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Programmi\Nero\Update\NASvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Programmi\File comuni\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Programmi\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Programmi\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Smith Micro Connection Manager Service (SMManager) - Smith Micro Software, Inc. - C:\Programmi\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programmi\File comuni\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Programmi\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Programmi\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: vToolbarUpdater - Unknown owner - C:\Programmi\File comuni\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe

--
End of file - 12932 bytes

-Gmer:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-03 23:18:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG01
Running: g3g206kl.exe; Driver: C:\DOCUME~1\marco\IMPOST~1\Temp\fgrdqpow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x988B5F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x988B5FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x988B6080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x988B611C]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A5DAC16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A5DABFC2

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x97E65400, 0x7960C, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x97F07420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x97F07420]
.protectÿÿÿÿhardlockunknown last code section [0x97F07200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x97F07200, 0x5049, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2804] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] nkpegdf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@DisplayName Config Center
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@Description Supporta la condivisione in rete di file, stampa e named-pipe per il computer in uso. Se il servizio ? stato arrestato, queste funzionalit? non saranno disponibili. Se il servizio ? stato disabilitato, i servizi esplicitamente dipendenti da esso non verranno avviati.
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf\Parameters@ServiceDll C:\WINDOWS\system32\ldoek.dll
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@DisplayName Config Center
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@Description Supporta la condivisione in rete di file, stampa e named-pipe per il computer in uso. Se il servizio ? stato arrestato, queste funzionalit? non saranno disponibili. Se il servizio ? stato disabilitato, i servizi esplicitamente dipendenti da esso non verranno avviati.
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf\Parameters@ServiceDll C:\WINDOWS\system32\ldoek.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ci 528384 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.dir 4096 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid 65536 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci 434176 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dir 0 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid 0 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.ci 999424 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.dir 12288 bytes
File C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid 65536 bytes
File C:\Documents and Settings\marco\Dati applicazioni\Macromedia\Flash Player\#SharedObjects\Y676BAAX\www.friv.com.\friv_so1.sol 745 bytes
File C:\Documents and Settings\marco\Dati applicazioni\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.friv.com.\settings.sol 83 bytes

---- EOF - GMER 1.0.15 ----

da **Alcatosto** » ven nov 04, 2011 8:57 am

Qui il log di Malwarebytes che ho fatto rigirare !

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Versione database: 8076

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/11/2011 8.26.40
malwarebyteslog

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 334493
Tempo impiegato: 1 ore, 45 minuti, 24 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 27
Valori di registro infetti: 4
Voci infette nei dati di registro: 0
Cartelle infette: 9
File infetti: 15

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\Typelib\{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{F244A744-534D-4A46-855F-C0C7E9F27DAA} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{030C9927-10FC-4169-97A2-55BECD5D88D8} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShoppingReport2 (Adware.ShoppingReports2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx.1 (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand.1 (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton.1 (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA.1 (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl.1 (Adware.ShopperReports) -> No action taken.
HKEY_CURRENT_USER\Software\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QUESTSCAN_SERVICE (Adware.QuestScan) -> No action taken.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Value: {DB38E21A-0133-419D-92AD-ECDFD5244D6D} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Value: {EB620C54-E229-4942-87CE-E717109FC8C6} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Value: {EB620C54-E229-4942-87CE-E717109FC8C6} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Value: {DB38E21A-0133-419d-92AD-ECDFD5244D6D} -> No action taken.

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
c:\documents and settings\marco\dati applicazioni\shoppingreport2 (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\db (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\dwld (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\report (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\res1 (Adware.ShoppingReport2) -> No action taken.
c:\programmi\shoppingreport2 (Adware.ShoppingReport2) -> No action taken.
c:\programmi\shoppingreport2\Bin (Adware.ShoppingReport2) -> No action taken.
c:\programmi\shoppingreport2\Bin\2.7.34 (Adware.ShoppingReport2) -> No action taken.

File infetti:
c:\documents and settings\marco\documenti\downloads\xvidsetup (1).exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\marco\documenti\downloads\xvidsetup (2).exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\marco\documenti\downloads\xvidsetup.exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\marco\documenti\downloads\emulesetup.exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\marco\documenti\downloads\installer_nero_burning_rom_10_0_13100__italian.exe (PUP.SmsPay.PGen) -> No action taken.
c:\programmi\shoppingreport2\Uninst.exe (Adware.ShoppingReports2) -> No action taken.
c:\system volume information\_restore{78b2df97-a14a-44c4-8a75-ed37bff56fa4}\RP195\A0066614.dll (Adware.SmartShopper) -> No action taken.
c:\system volume information\_restore{78b2df97-a14a-44c4-8a75-ed37bff56fa4}\RP195\A0066734.dll (Adware.Agent.ZGen) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\Config.xml (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\db\Aliases.dbs (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\db\Sites.dbs (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\dwld\whitelist.xip (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\report\aggr_storage.xml (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\report\send_storage.xml (Adware.ShoppingReport2) -> No action taken.
c:\documents and settings\marco\dati applicazioni\shoppingreport2\cs\res1\whitelist.dbs (Adware.ShoppingReport2) -> No action taken.

da **crazy.cat** » ven nov 04, 2011 9:59 am

Alcatosto ha scritto:Qui il log di Malwarebytes che ho fatto rigirare !

Alla fine della scansione in basso a sinistra c'è il pulsante per dirgli di rimuovere i problemi trovati.
Altrimenti da soli non se ne vanno.

Che strano questo servizio attivo...per sicurezza fai analizzare su virustotal.com il file stacsv.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe

Il problema è questo bel rootkit, prova a far girare hitman come ti è stato suggerito prima di preparare degli script appositi (che in questo momento non riesco a farti).

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] nkpegdf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@DisplayName Config Center
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf@Description Supporta la condivisione in rete di file, stampa e named-pipe per il computer in uso. Se il servizio ? stato arrestato, queste funzionalit? non saranno disponibili. Se il servizio ? stato disabilitato, i servizi esplicitamente dipendenti da esso non verranno avviati.
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\nkpegdf\Parameters@ServiceDll C:\WINDOWS\system32\ldoek.dll
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@DisplayName Config Center
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf@Description Supporta la condivisione in rete di file, stampa e named-pipe per il computer in uso. Se il servizio ? stato arrestato, queste funzionalit? non saranno disponibili. Se il servizio ? stato disabilitato, i servizi esplicitamente dipendenti da esso non verranno avviati.
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\nkpegdf\Parameters@ServiceDll C:\WINDOWS\system32\ldoek.dll

Usa il tag memo per allegare il log.

da **Alcatosto** » ven nov 04, 2011 10:06 am

Allora hitmanpro l'ho fatto girare e qui il log:

- <Log computer="CPSASTD" scan="Normal" version="3.5.9.131" date="2011-11-04T09:02:06" timeSpentInSecs="255" filesProcessed="33290">
- <Item type="Malware" malwareName="Malware" score="114.0" status="Deleted">
- <Scanners>
<Scanner id="DrWeb" name="Infected" />
</Scanners>
<File path="C:\Documents and Settings\marco\Documenti\Downloads\installer_nero_burning_rom_10_0_13100__Italian.exe" hash="C857D395589791E0F14E3697C0F4DAC1FB2C259894A1D4C52A184E40DC045E14" />
</Item>
- <Item type="Suspicious" score="103.0" status="None">
<File path="C:\MicroGaming\Poker\goldwinMPP\install.exe" hash="FD20556CEDC7AE526FBB0A36923765F71DFA7C1829C21A6FAA4B068AAD6D41AE" />
- <References>
<File path="C:\Documents and Settings\marco\Menu Avvio\Programmi\Goldwin\Disinstalla.lnk" />
</References>
</Item>
</Log>

Su Malwarebytes ho salvato il file di log prima di cancellare gli elementi infetti !! [:)]

Quindi penso che anche li avrebbe dovuto risolvere !
In questo momento sta girando Anti-malware della emsisoft che ha già trovato 3 elementi ! posto poi il log e rimuovo anche questi !

da **Alcatosto** » ven nov 04, 2011 10:24 am

Questi invece i file che ho messo in quarantena con anti-malware

Emsisoft Anti-Malware - Version 6.0
quarantine log

Data Origine Evento Infezione
04/11/2011 10.21.07 Key: hkey_current_user\software\mgs\thumper\casino Metti in Quarantena Trace.Registry.casinoaction!E1
04/11/2011 10.21.08 c:\microgaming Metti in Quarantena Trace.File.ruby fortune casino!E1
04/11/2011 10.21.07 C:\System Volume Information\_restore{78B2DF97-A14A-44C4-8A75-ED37BFF56FA4}\RP188\A0062929.exe Metti in Quarantena BrowserModifier.Win32.Zwangi.AMN!E1
04/11/2011 10.21.07 C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\TB2T98TE\upgrade[1].cab File non trovato BHO.Win32.Zwangi!E2
04/11/2011 10.21.06 C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\TB2T98TE\upgrade[1].cab Metti in Quarantena BHO.Win32.Zwangi!E2

da **Alcatosto** » ven nov 04, 2011 12:48 pm

Come se non bastasse riavviando il pc non mi fa entrare direttamente come prima ma mi chiede nome utente e password in stile windows 2000. Ora quando entro e provo da pannello di controllo a modificare la modalità di accesso mi spunta questo bell'errore:

Un programma installato di recente ha causato la disattivazione della schermata iniziale e del Cambio rapido utente. Per ripristinare questa funzionalità, disinstallare il programma. I seguenti nomi di file possono essere utili per l'identificazione del programma che ha causato la modifica: smgina.dll

Secondo voi da cosa è dato (tenendo conto che ho eseguito solo i programmi che vi ho detto e non ho modificato altro) e come posso risolvere ?!

Ciao

da **Alcatosto** » ven nov 04, 2011 12:52 pm

crazy.cat ha scritto:Che strano questo servizio attivo...per sicurezza fai analizzare su virustotal.com il file stacsv.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe

Su virustotal da 0/43. è un servizio audio della Dell per la scheda mi pare.

da **hashcat** » ven nov 04, 2011 3:58 pm

Per prima cosa disattiva il ripristino configurazione di sistema con questo file reg:

http://dl.dropbox.com/u/40765847/topic74236/Disable_windows_restore.reg

Poi fai un po' di pulizia con OTL:

Scarica OTL da qui
Disattivare o terminare tutte le protezioni in tempo reale di programmi anti-spyware, antivirus, anti-malware, che possono influenzare OTL
Avviare OTL mediante doppio click
Inserisci questo script nella casella Custom Scans/Fixes di OTL e clicca Run Fix

Codice: Seleziona tutto
:Commands [PURITY] [EMPTYTEMP] [CLEARALLRESTOREPOINTS]
Il computer verrà riavviato.

Utilizza TDSSKiller per tentare di rimuovere il rootkit ed acquisire informazioni sui driver:

Scarica TDSSKiller da qui
Rinominalo in modo casuale
Esegui TDSSKiller e clicca su "Start Scan"
Al termine della scansione verrà mostrata una schermata con i rilevamenti
Seleziona l'opzione "Cure" per i rilevamenti "malicious" e l'opzione "Skip" per quelli "Suspicious"
Clicca su Next/Continue per applicare le azioni
Per portare a termine la disinfezione TDSSKiller potrebbe richiedere un riavvio del computer
Al termine della procedura posta il log di TDSSKiller che si trova in C:\

Al riavvio del computer genera un log completo con OTL:

Scarica OTL da qui
Disattivare o terminare tutte le protezioni in tempo reale di programmi anti-spyware, antivirus, anti-malware, che possono influenzare OTL
Avviare OTL mediante doppio click
Quando apparirà la schermata di OTL regolare le impostazioni come segue:
Cliccare su Run Scan per avviare la scansione
Non utilizzare il computer durante l'esecuzione di OTL
Al termine della scansione verranno generati due log e appariranno due finestre del Blocco Note
Salva il log OTL come OTL.txt sul Desktop ed includilo nel tuo prossimo messaggio
Salva il log Extra come Extra.txt sul Desktop ed includilo nel tuo prossimo messaggio

Dopo aver generato il log di OTL utilizza Combofix:

Scaricare Combofix da qui
Rinominare Combofix in modo fantasioso
Disconnettere il computer da Internet
Disattivare o terminare tutte le protezioni in tempo reale di programmi anti-spyware, antivirus, anti-malware, che possono influenzare ComboFix
Terminare tutti i programmi non fondamentali del tuo computer
Fare doppio clic sul file
Non utilizzare il computer durante l'esecuzione di Combofix (nemmeno mouse e tastiera)
Quando Combofix finirà, salverà un log in:
C:\ComboFix.txt
Inserisci il log di Combofix nel tuo prossimo messaggio

Se il log di Combofix dovesse essere molto lungo postalo su paste2.org

[^]

da **Alcatosto** » ven nov 04, 2011 6:03 pm

Allora,
come da istruzioni:

-Log di TDSSKiller:

17:10:42.0375 3868 TDSS rootkit removing tool 2.6.15.0 Nov 3 2011 17:15:49
17:10:43.0343 3868 ============================================================
17:10:43.0343 3868 Current date / time: 2011/11/04 17:10:43.0343
17:10:43.0343 3868 SystemInfo:
17:10:43.0343 3868
17:10:43.0343 3868 OS Version: 5.1.2600 ServicePack: 3.0
17:10:43.0343 3868 Product type: Workstation
17:10:43.0343 3868 ComputerName: CPSASTD
17:10:43.0343 3868 UserName: marco
17:10:43.0343 3868 Windows directory: C:\WINDOWS
17:10:43.0343 3868 System windows directory: C:\WINDOWS
17:10:43.0343 3868 Processor architecture: Intel x86
17:10:43.0343 3868 Number of processors: 2
17:10:43.0343 3868 Page size: 0x1000
17:10:43.0343 3868 Boot type: Normal boot
17:10:43.0343 3868 ============================================================
17:10:43.0843 3868 Initialize success
17:10:59.0593 5316 ============================================================
17:10:59.0593 5316 Scan started
17:10:59.0593 5316 Mode: Manual;
17:10:59.0593 5316 ============================================================
17:11:00.0296 5316 Abiosdsk - ok
17:11:00.0343 5316 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:11:00.0343 5316 abp480n5 - ok
17:11:00.0468 5316 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:11:00.0468 5316 ACPI - ok
17:11:00.0468 5316 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
17:11:00.0468 5316 ACPIEC - ok
17:11:00.0531 5316 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:11:00.0531 5316 adpu160m - ok
17:11:00.0625 5316 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:11:00.0625 5316 aec - ok
17:11:00.0781 5316 AESTAud (f21d5e93a94514be9f5b6ebf74a696b2) C:\WINDOWS\system32\drivers\AESTAud.sys
17:11:00.0781 5316 AESTAud - ok
17:11:00.0843 5316 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
17:11:00.0843 5316 AFD - ok
17:11:00.0921 5316 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:11:00.0921 5316 agp440 - ok
17:11:01.0000 5316 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:11:01.0000 5316 agpCPQ - ok
17:11:01.0000 5316 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:11:01.0000 5316 Aha154x - ok
17:11:01.0015 5316 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:11:01.0015 5316 aic78u2 - ok
17:11:01.0031 5316 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:11:01.0031 5316 aic78xx - ok
17:11:01.0109 5316 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
17:11:01.0109 5316 AliIde - ok
17:11:01.0296 5316 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:11:01.0296 5316 alim1541 - ok
17:11:01.0312 5316 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:11:01.0312 5316 amdagp - ok
17:11:01.0343 5316 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
17:11:01.0343 5316 amsint - ok
17:11:01.0484 5316 ApfiltrService (b83f9da84f7079451c1c6a4a2f140920) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
17:11:01.0500 5316 ApfiltrService - ok
17:11:01.0531 5316 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:11:01.0531 5316 Arp1394 - ok
17:11:01.0593 5316 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
17:11:01.0593 5316 asc - ok
17:11:01.0734 5316 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:11:01.0734 5316 asc3350p - ok
17:11:01.0750 5316 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:11:01.0750 5316 asc3550 - ok
17:11:01.0765 5316 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:11:01.0765 5316 AsyncMac - ok
17:11:01.0781 5316 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:11:01.0781 5316 atapi - ok
17:11:01.0796 5316 Atdisk - ok
17:11:01.0796 5316 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:11:01.0796 5316 Atmarpc - ok
17:11:01.0859 5316 ATSwpWDF (fb36849fc6fe110a33bf38b8a6df6114) C:\WINDOWS\system32\Drivers\ATSwpWDF.sys
17:11:01.0875 5316 ATSwpWDF - ok
17:11:02.0000 5316 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:11:02.0000 5316 audstub - ok
17:11:02.0062 5316 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
17:11:02.0062 5316 AVGIDSDriver - ok
17:11:02.0203 5316 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
17:11:02.0203 5316 AVGIDSEH - ok
17:11:02.0250 5316 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
17:11:02.0250 5316 AVGIDSFilter - ok
17:11:02.0359 5316 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
17:11:02.0359 5316 AVGIDSShim - ok
17:11:02.0390 5316 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
17:11:02.0390 5316 Avgldx86 - ok
17:11:02.0515 5316 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
17:11:02.0515 5316 Avgmfx86 - ok
17:11:02.0718 5316 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
17:11:02.0718 5316 Avgrkx86 - ok
17:11:02.0750 5316 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
17:11:02.0750 5316 Avgtdix - ok
17:11:02.0812 5316 b57w2k (ea377a8e8e1000877210259750cbbf5f) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
17:11:02.0812 5316 b57w2k - ok
17:11:02.0968 5316 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:11:02.0984 5316 Beep - ok
17:11:03.0031 5316 Blfp (a341cdb0beb6880f11678944f292dd16) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
17:11:03.0031 5316 Blfp - ok
17:11:03.0203 5316 btaudio (f688bbbe8e3e7e03e35caabd66616ddb) C:\WINDOWS\system32\drivers\btaudio.sys
17:11:03.0203 5316 btaudio - ok
17:11:03.0375 5316 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
17:11:03.0375 5316 BTDriver - ok
17:11:03.0468 5316 BTKRNL (38a3331e2f690d4cdc9de0604b9416e5) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
17:11:03.0484 5316 BTKRNL - ok
17:11:03.0656 5316 BTWDNDIS (80f61de965c116051614ac2f04222ff7) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
17:11:03.0656 5316 BTWDNDIS - ok
17:11:03.0671 5316 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
17:11:03.0671 5316 btwmodem - ok
17:11:03.0828 5316 BTWUSB (d5af663711660d32ec230c6aaf7b6b83) C:\WINDOWS\system32\Drivers\btwusb.sys
17:11:03.0828 5316 BTWUSB - ok
17:11:03.0859 5316 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:11:03.0859 5316 cbidf - ok
17:11:03.0968 5316 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:11:03.0968 5316 cbidf2k - ok
17:11:04.0015 5316 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:11:04.0031 5316 CCDECODE - ok
17:11:04.0046 5316 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:11:04.0046 5316 cd20xrnt - ok
17:11:04.0203 5316 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:11:04.0203 5316 Cdaudio - ok
17:11:04.0234 5316 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:11:04.0234 5316 Cdfs - ok
17:11:04.0250 5316 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:11:04.0250 5316 Cdrom - ok
17:11:04.0375 5316 Changer - ok
17:11:04.0421 5316 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
17:11:04.0421 5316 CmBatt - ok
17:11:04.0453 5316 CmdIde (03a71b880380d15a0f951612b0f52be8) C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:11:04.0453 5316 CmdIde - ok
17:11:04.0593 5316 CnxEtP (d756055f2e3566deb70b8cbfd8a7bd2c) C:\WINDOWS\system32\DRIVERS\CnxEtP.sys
17:11:04.0609 5316 CnxEtP - ok
17:11:04.0640 5316 CnxEtU (08b390fc769399ca9b49bd9a5afe6883) C:\WINDOWS\system32\DRIVERS\CnxEtU.sys
17:11:04.0640 5316 CnxEtU - ok
17:11:04.0796 5316 CnxTgN (ef5ffd83a6e36349bec8bf9a5f80729d) C:\WINDOWS\system32\DRIVERS\CnxTgN.sys
17:11:04.0796 5316 CnxTgN - ok
17:11:04.0843 5316 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
17:11:04.0843 5316 Compbatt - ok
17:11:05.0015 5316 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:11:05.0015 5316 Cpqarray - ok
17:11:05.0031 5316 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:11:05.0031 5316 dac2w2k - ok
17:11:05.0046 5316 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:11:05.0046 5316 dac960nt - ok
17:11:05.0093 5316 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:11:05.0093 5316 Disk - ok
17:11:05.0250 5316 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
17:11:05.0250 5316 DLABMFSM - ok
17:11:05.0281 5316 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
17:11:05.0281 5316 DLABOIOM - ok
17:11:05.0437 5316 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
17:11:05.0437 5316 DLACDBHM - ok
17:11:05.0437 5316 DLADResM (18c4fa60a471a5ee79d88e7f0033e403) C:\WINDOWS\system32\Drivers\DLADResM.SYS
17:11:05.0437 5316 DLADResM - ok
17:11:05.0484 5316 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
17:11:05.0484 5316 DLAIFS_M - ok
17:11:05.0484 5316 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
17:11:05.0484 5316 DLAOPIOM - ok
17:11:05.0500 5316 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
17:11:05.0500 5316 DLAPoolM - ok
17:11:05.0500 5316 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
17:11:05.0515 5316 DLARTL_M - ok
17:11:05.0515 5316 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
17:11:05.0515 5316 DLAUDFAM - ok
17:11:05.0531 5316 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
17:11:05.0531 5316 DLAUDF_M - ok
17:11:05.0609 5316 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys
17:11:05.0609 5316 dmboot - ok
17:11:05.0781 5316 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys
17:11:05.0781 5316 dmio - ok
17:11:05.0828 5316 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:11:05.0828 5316 dmload - ok
17:11:05.0984 5316 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:11:05.0984 5316 DMusic - ok
17:11:06.0031 5316 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:11:06.0031 5316 dpti2o - ok
17:11:06.0203 5316 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:11:06.0203 5316 drmkaud - ok
17:11:06.0281 5316 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
17:11:06.0281 5316 DRVMCDB - ok
17:11:06.0421 5316 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
17:11:06.0421 5316 DRVNDDM - ok
17:11:06.0453 5316 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:11:06.0453 5316 Fastfat - ok
17:11:06.0500 5316 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
17:11:06.0500 5316 Fdc - ok
17:11:06.0546 5316 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys
17:11:06.0546 5316 Fips - ok
17:11:06.0625 5316 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
17:11:06.0625 5316 Flpydisk - ok
17:11:06.0687 5316 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:11:06.0687 5316 FltMgr - ok
17:11:06.0703 5316 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:11:06.0703 5316 Fs_Rec - ok
17:11:06.0750 5316 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\WINDOWS\system32\drivers\ftdibus.sys
17:11:06.0765 5316 FTDIBUS - ok
17:11:06.0937 5316 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:11:06.0937 5316 Ftdisk - ok
17:11:06.0984 5316 FTSER2K (596d31583ce332b5514520d74837f434) C:\WINDOWS\system32\drivers\ftser2k.sys
17:11:06.0984 5316 FTSER2K - ok
17:11:07.0031 5316 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
17:11:07.0046 5316 GEARAspiWDM - ok
17:11:07.0218 5316 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:11:07.0218 5316 Gpc - ok
17:11:07.0265 5316 GrabsterSeries.X86 (00a1fdf812ae26730bc94f08047ca2a0) C:\WINDOWS\system32\DRIVERS\GrabsterSeries.X86.SYS
17:11:07.0281 5316 GrabsterSeries.X86 - ok
17:11:07.0312 5316 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
17:11:07.0312 5316 hamachi - ok
17:11:07.0359 5316 hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\WINDOWS\system32\drivers\hardlock.sys
17:11:07.0359 5316 hardlock - ok
17:11:07.0500 5316 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys
17:11:07.0500 5316 Haspnt - ok
17:11:07.0546 5316 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:11:07.0562 5316 HDAudBus - ok
17:11:07.0593 5316 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:11:07.0609 5316 hidusb - ok
17:11:07.0750 5316 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
17:11:07.0750 5316 hpn - ok
17:11:07.0781 5316 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:11:07.0781 5316 HTTP - ok
17:11:07.0953 5316 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
17:11:07.0953 5316 i2omgmt - ok
17:11:07.0984 5316 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:11:07.0984 5316 i2omp - ok
17:11:08.0031 5316 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:11:08.0031 5316 i8042prt - ok
17:11:08.0421 5316 ialm (3b743262b6456167888d15f1121b3bf7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
17:11:08.0671 5316 ialm - ok
17:11:08.0859 5316 iaStor (71ecc07bc7c5e24c3dd01d8a29a24054) C:\WINDOWS\system32\drivers\iaStor.sys
17:11:08.0859 5316 iaStor - ok
17:11:08.0921 5316 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:11:08.0921 5316 Imapi - ok
17:11:09.0093 5316 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:11:09.0093 5316 ini910u - ok
17:11:09.0140 5316 IntcHdmiAddService (f32a62c765885bd8e4352a1565f702a6) C:\WINDOWS\system32\drivers\IntcHdmi.sys
17:11:09.0140 5316 IntcHdmiAddService - ok
17:11:09.0296 5316 IntelIde (027fe9b28fb0f861c181d25923b31e78) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:11:09.0296 5316 IntelIde - ok
17:11:09.0343 5316 intelppm (ebd830a0970c438047006a49c23e287f) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:11:09.0343 5316 intelppm - ok
17:11:09.0390 5316 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:11:09.0406 5316 Ip6Fw - ok
17:11:09.0500 5316 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:11:09.0500 5316 IpFilterDriver - ok
17:11:09.0531 5316 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:11:09.0531 5316 IpInIp - ok
17:11:09.0562 5316 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:11:09.0578 5316 IpNat - ok
17:11:09.0687 5316 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:11:09.0687 5316 IPSec - ok
17:11:09.0734 5316 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:11:09.0734 5316 IRENUM - ok
17:11:09.0812 5316 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:11:09.0812 5316 isapnp - ok
17:11:09.0875 5316 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:11:09.0890 5316 Kbdclass - ok
17:11:09.0968 5316 kbdhid (4c61c226bdda2ef1672b2c5f4e56625e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:11:09.0968 5316 kbdhid - ok
17:11:10.0031 5316 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:11:10.0031 5316 kmixer - ok
17:11:10.0109 5316 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:11:10.0109 5316 KSecDD - ok
17:11:10.0125 5316 lbrtfdc - ok
17:11:10.0171 5316 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:11:10.0171 5316 mnmdd - ok
17:11:10.0265 5316 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys
17:11:10.0265 5316 Modem - ok
17:11:10.0359 5316 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:11:10.0359 5316 Mouclass - ok
17:11:10.0406 5316 mouhid (d7662f0cf5b77bbbe3202716f5bd5318) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:11:10.0406 5316 mouhid - ok
17:11:10.0406 5316 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:11:10.0406 5316 MountMgr - ok
17:11:10.0453 5316 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
17:11:10.0453 5316 MPE - ok
17:11:10.0500 5316 MpKsl57ce6d18 - ok
17:11:10.0609 5316 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:11:10.0609 5316 mraid35x - ok
17:11:10.0718 5316 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:11:10.0718 5316 MRxDAV - ok
17:11:10.0812 5316 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:11:10.0812 5316 MRxSmb - ok
17:11:10.0906 5316 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:11:10.0906 5316 Msfs - ok
17:11:10.0984 5316 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:11:11.0000 5316 MSKSSRV - ok
17:11:11.0046 5316 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:11:11.0046 5316 MSPCLOCK - ok
17:11:11.0046 5316 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:11:11.0046 5316 MSPQM - ok
17:11:11.0109 5316 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:11:11.0109 5316 mssmbios - ok
17:11:11.0218 5316 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
17:11:11.0218 5316 MSTEE - ok
17:11:11.0281 5316 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:11:11.0281 5316 Mup - ok
17:11:11.0375 5316 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:11:11.0375 5316 NABTSFEC - ok
17:11:11.0500 5316 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:11:11.0500 5316 NDIS - ok
17:11:11.0546 5316 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:11:11.0546 5316 NdisIP - ok
17:11:11.0750 5316 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:11:11.0750 5316 NdisTapi - ok
17:11:11.0812 5316 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:11:11.0812 5316 Ndisuio - ok
17:11:11.0921 5316 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:11:11.0937 5316 NdisWan - ok
17:11:12.0000 5316 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:11:12.0000 5316 NDProxy - ok
17:11:12.0031 5316 Netaapl (7afd0e39ab15cb355487b7cc19f4e2c5) C:\WINDOWS\system32\DRIVERS\netaapl.sys
17:11:12.0031 5316 Netaapl - ok
17:11:12.0203 5316 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:11:12.0203 5316 NetBIOS - ok
17:11:12.0265 5316 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:11:12.0265 5316 NetBT - ok
17:11:12.0453 5316 NETw5x32 (a3b69acd14051ae87ab9e1823a508b6d) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
17:11:12.0640 5316 NETw5x32 - ok
17:11:12.0812 5316 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:11:12.0812 5316 NIC1394 - ok
17:11:12.0812 5316 Suspicious service (NoAccess): nkpegdf
17:11:12.0843 5316 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:11:12.0843 5316 Npfs - ok
17:11:12.0906 5316 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:11:12.0906 5316 Ntfs - ok
17:11:13.0093 5316 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:11:13.0093 5316 Null - ok
17:11:13.0093 5316 NvtSp50 - ok
17:11:13.0125 5316 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:11:13.0125 5316 NwlnkFlt - ok
17:11:13.0265 5316 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:11:13.0265 5316 NwlnkFwd - ok
17:11:13.0312 5316 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:11:13.0312 5316 ohci1394 - ok
17:11:13.0484 5316 ONDAusbmdm6k (b24ad0f53fe0c51624943058fcae6e5d) C:\WINDOWS\system32\DRIVERS\ONDAusbmdm6k.sys
17:11:13.0484 5316 ONDAusbmdm6k - ok
17:11:13.0500 5316 ONDAusbnet (1284560b6463c55af7407523d470f37f) C:\WINDOWS\system32\DRIVERS\ONDAusbnet.sys
17:11:13.0500 5316 ONDAusbnet - ok
17:11:13.0656 5316 ONDAusbnmea (b24ad0f53fe0c51624943058fcae6e5d) C:\WINDOWS\system32\DRIVERS\ONDAusbnmea.sys
17:11:13.0656 5316 ONDAusbnmea - ok
17:11:13.0687 5316 ONDAusbser6k (b24ad0f53fe0c51624943058fcae6e5d) C:\WINDOWS\system32\DRIVERS\ONDAusbser6k.sys
17:11:13.0703 5316 ONDAusbser6k - ok
17:11:13.0734 5316 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\drivers\Parport.sys
17:11:13.0734 5316 Parport - ok
17:11:13.0875 5316 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:11:13.0875 5316 PartMgr - ok
17:11:13.0875 5316 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys
17:11:13.0875 5316 ParVdm - ok
17:11:13.0906 5316 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
17:11:13.0906 5316 PBADRV - ok
17:11:13.0921 5316 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys
17:11:13.0921 5316 PCI - ok
17:11:14.0031 5316 PCIDump - ok
17:11:14.0078 5316 PCIIde (b2df00d650fd6c4ee781740ed3c8e67f) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:11:14.0078 5316 PCIIde - ok
17:11:14.0125 5316 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
17:11:14.0125 5316 Pcmcia - ok
17:11:14.0250 5316 PDCOMP - ok
17:11:14.0250 5316 PDFRAME - ok
17:11:14.0265 5316 PDRELI - ok
17:11:14.0281 5316 PDRFRAME - ok
17:11:14.0328 5316 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
17:11:14.0328 5316 perc2 - ok
17:11:14.0437 5316 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:11:14.0437 5316 perc2hib - ok
17:11:14.0500 5316 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:11:14.0546 5316 PptpMiniport - ok
17:11:14.0609 5316 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:11:14.0609 5316 PSched - ok
17:11:14.0734 5316 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:11:14.0734 5316 Ptilink - ok
17:11:14.0781 5316 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:11:14.0781 5316 PxHelp20 - ok
17:11:14.0812 5316 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:11:14.0812 5316 ql1080 - ok
17:11:14.0828 5316 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:11:14.0843 5316 Ql10wnt - ok
17:11:14.0875 5316 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:11:14.0875 5316 ql12160 - ok
17:11:15.0015 5316 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:11:15.0015 5316 ql1240 - ok
17:11:15.0031 5316 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:11:15.0031 5316 ql1280 - ok
17:11:15.0062 5316 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:11:15.0062 5316 RasAcd - ok
17:11:15.0203 5316 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:11:15.0203 5316 Rasl2tp - ok
17:11:15.0203 5316 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:11:15.0203 5316 RasPppoe - ok
17:11:15.0218 5316 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:11:15.0218 5316 Raspti - ok
17:11:15.0250 5316 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:11:15.0250 5316 Rdbss - ok
17:11:15.0406 5316 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:11:15.0406 5316 RDPCDD - ok
17:11:15.0484 5316 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:11:15.0484 5316 rdpdr - ok
17:11:15.0546 5316 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
17:11:15.0546 5316 RDPWD - ok
17:11:15.0703 5316 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:11:15.0703 5316 redbook - ok
17:11:15.0765 5316 rimmptsk (ea885e7a56f1be1f14c372337c42fe48) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
17:11:15.0765 5316 rimmptsk - ok
17:11:15.0828 5316 s24trans (87940243ea2ad3ebe274f5409c5e9072) C:\WINDOWS\system32\DRIVERS\s24trans.sys
17:11:15.0828 5316 s24trans - ok
17:11:15.0984 5316 SASDIFSV (39763504067962108505bff25f024345) C:\Programmi\SUPERAntiSpyware\SASDIFSV.SYS
17:11:15.0984 5316 SASDIFSV - ok
17:11:16.0000 5316 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Programmi\SUPERAntiSpyware\SASKUTIL.SYS
17:11:16.0000 5316 SASKUTIL - ok
17:11:16.0125 5316 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
17:11:16.0125 5316 sdbus - ok
17:11:16.0171 5316 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:11:16.0171 5316 Secdrv - ok
17:11:16.0218 5316 Sentinel (a2cc81c30bef6ac9f27055490eef6de3) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
17:11:16.0218 5316 Sentinel - ok
17:11:16.0343 5316 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:11:16.0343 5316 Serenum - ok
17:11:16.0421 5316 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\DRIVERS\serial.sys
17:11:16.0421 5316 Serial - ok
17:11:16.0468 5316 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
17:11:16.0468 5316 sffdisk - ok
17:11:16.0562 5316 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
17:11:16.0562 5316 sffp_sd - ok
17:11:16.0625 5316 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:11:16.0625 5316 Sfloppy - ok
17:11:16.0671 5316 Simbad - ok
17:11:16.0703 5316 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:11:16.0703 5316 sisagp - ok
17:11:16.0781 5316 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:11:16.0781 5316 SLIP - ok
17:11:16.0828 5316 Sntnlusb (9de6e60ce7fd82b4985de5d9c22265ad) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
17:11:16.0828 5316 Sntnlusb - ok
17:11:16.0921 5316 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:11:16.0921 5316 Sparrow - ok
17:11:17.0031 5316 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:11:17.0031 5316 splitter - ok
17:11:17.0093 5316 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys
17:11:17.0109 5316 sr - ok
17:11:17.0171 5316 SRS_PremiumSound_Service (584477fdfa731af4635f5875c6b52531) C:\WINDOWS\system32\drivers\srs_PremiumSound_i386.sys
17:11:17.0171 5316 SRS_PremiumSound_Service - ok
17:11:17.0296 5316 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:11:17.0312 5316 Srv - ok
17:11:17.0484 5316 STHDA (1b76479b80ff0f6e245ba590a64102be) C:\WINDOWS\system32\drivers\sthda.sys
17:11:17.0500 5316 STHDA - ok
17:11:17.0671 5316 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:11:17.0671 5316 streamip - ok
17:11:17.0718 5316 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:11:17.0718 5316 swenum - ok
17:11:17.0781 5316 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:11:17.0781 5316 swmidi - ok
17:11:17.0937 5316 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:11:17.0937 5316 symc810 - ok
17:11:17.0984 5316 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:11:17.0984 5316 symc8xx - ok
17:11:18.0000 5316 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:11:18.0000 5316 sym_hi - ok
17:11:18.0015 5316 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:11:18.0015 5316 sym_u3 - ok
17:11:18.0062 5316 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:11:18.0062 5316 sysaudio - ok
17:11:18.0265 5316 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:11:18.0265 5316 Tcpip - ok
17:11:18.0296 5316 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
17:11:18.0296 5316 Tcpip6 - ok
17:11:18.0453 5316 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:11:18.0453 5316 TDPIPE - ok
17:11:18.0453 5316 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:11:18.0453 5316 TDTCP - ok
17:11:18.0500 5316 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:11:18.0500 5316 TermDD - ok
17:11:18.0515 5316 TosIde (b5cee774da04340c6f4c0fd14286a50e) C:\WINDOWS\system32\DRIVERS\toside.sys
17:11:18.0515 5316 TosIde - ok
17:11:18.0562 5316 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
17:11:18.0562 5316 tunmp - ok
17:11:18.0718 5316 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:11:18.0718 5316 Udfs - ok
17:11:18.0750 5316 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
17:11:18.0750 5316 ultra - ok
17:11:18.0796 5316 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:11:18.0796 5316 Update - ok
17:11:18.0984 5316 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
17:11:18.0984 5316 USBAAPL - ok
17:11:19.0031 5316 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
17:11:19.0031 5316 usbaudio - ok
17:11:19.0171 5316 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:11:19.0171 5316 usbccgp - ok
17:11:19.0234 5316 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:11:19.0234 5316 usbehci - ok
17:11:19.0281 5316 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:11:19.0281 5316 usbhub - ok
17:11:19.0437 5316 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:11:19.0437 5316 usbprint - ok
17:11:19.0484 5316 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:11:19.0484 5316 usbscan - ok
17:11:19.0687 5316 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:11:19.0703 5316 USBSTOR - ok
17:11:19.0750 5316 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:11:19.0750 5316 usbuhci - ok
17:11:19.0921 5316 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:11:19.0921 5316 VgaSave - ok
17:11:19.0968 5316 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:11:19.0968 5316 viaagp - ok
17:11:19.0984 5316 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:11:19.0984 5316 ViaIde - ok
17:11:20.0140 5316 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys
17:11:20.0140 5316 VolSnap - ok
17:11:20.0171 5316 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:11:20.0171 5316 Wanarp - ok
17:11:20.0218 5316 WavxDMgr (f9cea286b0f8311be823d071eabdf6e0) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
17:11:20.0218 5316 WavxDMgr - ok
17:11:20.0359 5316 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
17:11:20.0359 5316 wceusbsh - ok
17:11:20.0406 5316 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
17:11:20.0406 5316 Wdf01000 - ok
17:11:20.0531 5316 WDICA - ok
17:11:20.0593 5316 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:11:20.0593 5316 wdmaud - ok
17:11:20.0687 5316 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
17:11:20.0687 5316 WmiAcpi - ok
17:11:20.0734 5316 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:11:20.0734 5316 WSTCODEC - ok
17:11:20.0765 5316 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:11:20.0765 5316 WudfPf - ok
17:11:20.0890 5316 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:11:20.0890 5316 WudfRd - ok
17:11:20.0937 5316 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
17:11:20.0953 5316 \Device\Harddisk0\DR0 - ok
17:11:20.0953 5316 Boot (0x1200) (a9d3d74807a217dce5c908e8bdb4b28c) \Device\Harddisk0\DR0\Partition0
17:11:20.0953 5316 \Device\Harddisk0\DR0\Partition0 - ok
17:11:20.0953 5316 ============================================================
17:11:20.0953 5316 Scan finished
17:11:20.0953 5316 ============================================================
17:11:20.0968 3868 Detected object count: 0
17:11:20.0968 3868 Actual detected object count: 0
17:11:59.0171 4660 Deinitialize success

Continua nel post successivo

da **Alcatosto** » ven nov 04, 2011 6:17 pm

Non mi fa caricare gli altri log perché il messaggio risulta troppo lungo, ma non ho capito come funziona paste.org !!

da **Alcatosto** » ven nov 04, 2011 6:22 pm

Scusate ma sono completamente andato [acc2]

Allora qui il post ordinato con tutti i file di log:

1-Log di TDSSKiller
http://paste2.org/p/1758364

2-Log di OTL Otl.txt
http://paste2.org/p/1758356

3-Log di OTL Extras.txt
http://paste2.org/p/1758357

4-Log di Combofix
http://paste2.org/p/1758366

[grazie]

E grazie sempre per la pazienza ! [grazie]

Ciao

da **hashcat** » sab nov 05, 2011 3:13 pm

Dopo una lunga analisi ho trovato differenti irregolarità:

Il tuo computer sembra essere infetto (sono presenti tracce) dal Worm Conficker.

Per accertarci di rimuovere tutte le possibili tracce utilizza i seguenti Removal Tools:

Kaspersky

F-secure

Bitdefender

Symantec

Dopo aver utilizzato i removal tools riesegui nuovamente il fix del ripristino configurazione di sistema.

Devo raccogliere maggiori informazioni sulle anomalie; segui questa procedura:

Scarica SystemLook da qui
Avvia SystemLook
Inserisci il seguente script nella casella di testo (copia e incolla):

Codice: Seleziona tutto
:dir C:\ee98cd523dd9918bf1504913414d6d /s /md5 C:\WINDOWS\System32\drivers\UMDF /s /md5 C:\sr /s /md5 C:\WINDOWS\TempFile /s /md5 C:\Documents and Settings\All Users\Dati applicazioni\{429CAD59-35B1-4DBC-BB6D-1DB246563521} /s /md5 :regfind ldoek ldoek.dll :file C:\WINDOWS\System32\SMgina.dll C:\WINDOWS\System32\nscompat.tlb C:\WINDOWS\System32\amcompat.tlb C:\WINDOWS\System32\mlfcache.dat C:\WINDOWS\nsreg.dat C:\windows\system32\WININET.dll C:\WINDOWS\system32\ldoek.dll :filefind ldoek.* ::env
Disattiva o termina tutte le protezioni in tempo reale di programmi anti-spyware, antivirus, anti-malware, che possono influenzare SystemLook
Clicca su
Aspetta finché non verrà generato un log e aperto con il Blocco Note
Dal menu del Blocco Note seleziona la voce Modifica >> Seleziona Tutto e successivamente Modifica >> Copia
Inserisci il contenuto copiato nel tuo prossimo messaggio

Carica su Virustotal i seguenti file e se infetti riportane il link:

Codice: Seleziona tutto: C:\WINDOWS\System32\SMgina.dll C:\WINDOWS\System32\nscompat.tlb C:\WINDOWS\System32\amcompat.tlb C:\WINDOWS\System32\mlfcache.dat C:\WINDOWS\nsreg.dat C:\windows\system32\WININET.dll C:\WINDOWS\system32\ldoek.dll

Poi esegui il seguente fix con OTL:

Codice: Seleziona tutto: :OTL [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] @Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Dati applicazioni\TEMP:0B4227B4 :Files ipconfig /flushdns /c :Commands [PURITY] [EMPTYTEMP]

Il computer verrà riavviato, passiamo a Combofix:

Disconnetti il computer da Internet
Termina ogni programma inutile
Chiudi/disabilita ogni Antivirus/Antispyware/Antimalware e qualunque programma di sicurezza in generale in modo che non interferisca con Combofix
Premi WIN+R , digita notepad.exe e premi Invio
Assicurati che sotto la casella formato sia disablitata la funzione "A capo automatico"
Copia ed incolla nella finestra del Blocco Note il seguente script:

Codice: Seleziona tutto
KillAll:: Registry:: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "4146:TCP"=- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4146:TCP"=- Folder:: C:\WINDOWS\PIF RegLock:: [HKEY_USERS\S-1-5-21-1676671610-3273154838-3758250303-1005\Software\Microsoft\SystemCertificates\AddressBook*] FCopy:: C:\WINDOWS\System32\nscompat.tlb | C:\Documents and Settings\marco\Desktop\conserva\nscompat.tlb C:\WINDOWS\System32\amcompat.tlb | C:\Documents and Settings\marco\Desktop\conserva\amcompat.tlb C:\WINDOWS\System32\mlfcache.dat | C:\Documents and Settings\marco\Desktop\conserva\mlfcache.dat C:\WINDOWS\nsreg.dat | C:\Documents and Settings\marco\Desktop\conserva\nsreg.dat C:\WINDOWS\system32\ldoek.dll | C:\Documents and Settings\marco\Desktop\conserva\ldoek.dll File:: C:\WINDOWS\System32\nscompat.tlb C:\WINDOWS\System32\amcompat.tlb C:\WINDOWS\System32\mlfcache.dat C:\WINDOWS\nsreg.dat C:\WINDOWS\system32\ldoek.dll Reboot::
Salva il seguente script come CFScript.txt nello stesso percorso di Combofix
Trascina il file CFScript.txt sopra Combofix come mostrato nell'immagine sottostante:
Terminata la procedura Combofix produrrà un log che si troverà in C:\ComboFix[Numero più alto].txt
Includi questo log nel tuo prossimo messaggio

Il computer verrà riavviato, sul Desktop dovrebbe apparire la cartella "conserva" dove è contenuta una copia dei files eliminati.

[weponed]

da **Alcatosto** » sab nov 05, 2011 3:42 pm

Mi è tutto chiaro e sto già eseguendo i Removal , tranne Bitdefender poiché la pagina è offline.

Ho solo due dubbi:
1-

hashcat ha scritto:Dopo aver utilizzato i removal tools riesegui nuovamente il fix del ripristino configurazione di sistema.

Intendi le chiavi di registro da modificare che mi sono state date nel precedente post da hashcat ?

hashcat ha scritto:http://dl.dropbox.com/u/40765847/topic74236/Disable_windows_restore.reg

2-
Il problema che vi ho precedentemente esposto

Alcatosto ha scritto:Come se non bastasse riavviando il pc non mi fa entrare direttamente come prima ma mi chiede nome utente e password in stile windows 2000. Ora quando entro e provo da pannello di controllo a modificare la modalità di accesso mi spunta questo bell'errore:
Un programma installato di recente ha causato la disattivazione della schermata iniziale e del Cambio rapido utente. Per ripristinare questa funzionalità, disinstallare il programma. I seguenti nomi di file possono essere utili per l'identificazione del programma che ha causato la modifica: smgina.dll

Secondo voi da cosa è dato (tenendo conto che ho eseguito solo i programmi che vi ho detto e non ho modificato altro) e come posso risolvere ?!

Ciao

è dato da questo worm ? e in ogni caso è un problema che per ora metto da parte e risolverò finita la pulizia del worm ?
Grazie a tutti
ciao

da **Alcatosto** » sab nov 05, 2011 5:14 pm

Ciao a tutti,
e allora. . . [acc2]

1- Analisi con i Removal Tools:
- Kaspersky: 0 problemi.
- F-secure: 0 problemi.
- Bitdefender: Link inattivo. Non eseguito
- Symantec: 0 problemi.

2- Fix del Ripristino configurazione di sistema:
- Se è come ho capito allora fatto anche questo.

3- Log di SystemLook:
-http://paste2.org/p/1760354

4- Scansione su VirusTotal :
-Tutto 0/43

5- Fix di OTL :
-Eseguito e completato correttamente.

6- Log di ComboFix :
-http://paste2.org/p/1760356

Grazie sempre. [grazie]

ciao

da **hashcat** » sab nov 05, 2011 7:43 pm

Per prima cosa vorrei leggere il log di OTL, presente in C:\_OTL

Scarica l'ultima versione di Gmer, avvialo, se viene mostrato a schermo un avviso seleziona no.
Gmer deve essere configurato come in questa schermata:

Immagine

Dopo averlo configurato adeguatamente clicca su Scan, al termine della scansione salva il log ed inseriscilo nel tuo prossimo messaggio.

Riprendendo SystemLook impartisci il seguente script:

Codice: Seleziona tutto: :regfind nkpegdf :reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ /sub HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ /sub HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ /sub HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ /sub HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ /sub HKEY_USERS\S-1-5-21\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ /sub HKEY_USERS\S-1-5-21-1676671610-3273154838-3758250303-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ /sub HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nkpegdf\ /sub HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nkpegdf\ /sub HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\nkpegdf\ /sub

Crea lo script come sopra indicato e "dallo in pasto" a Combofix:

Codice: Seleziona tutto: KillAll:: Folder:: C:\sr RegLock:: [HKEY_USERS\S-1-5-21-1676671610-3273154838-3758250303-1005\Software\Microsoft\SystemCertificates\AddressBook*]

Ultimo passaggio (aswMBR):

Scarica lo strumento aswMBR da qui
Rinomina lo strumento in modo fantasioso
Avvia lo strumento mediante doppio click
Se richiesto di scaricare le firme di Avast rispondere no
Clicca sul pulsante "Scan" per avviare la scansione:
Al termine della scansione clicca sul pulsante "Save log", salva il log ed inseriscilo nel prossimo messaggio:

Quali anomalie riscontri utilizzando il computer?

[^]

da **Alcatosto** » dom nov 06, 2011 10:10 pm

Allora,
eccoci nuovamente qui !

1- Log di Gmer :
http://paste2.org/p/1762680

2- Log di aswMBR :
http://paste2.org/p/1762685

Per quanto riguarda i probemi riscontrati, non mi da la possibilità di modificare dal pannello di controllo\ Account Utente la Modalità di accesso e disconnessione . Se provo a cliccare mi da il seguente errore:

Un programma installato di recente ha causato la disattivazione della schermata iniziale e del Cambio rapido utente. Per ripristinare questa funzionalità, disinstallare il programma. I seguenti nomi di file possono essere utili per l'identificazione del programma che ha causato la modifica: smgina.dll

Infatti quando avvio il pc mi spunta la finestra di logon in modalità classica e ci stà un'eternità per entrare !
In ogni caso inserendo il cd di Windows XP e facendo il ripristino non mi dovrebbe sistemare le eventuali dll corrotte ?

Grazie a tutti sempre. [grazie]

ciao

da **hashcat** » lun nov 07, 2011 1:22 pm

I log di GMER e aswMBR sono puliti.

Per cercare di risolvere i problemi che tuttora sono presenti ho bisogno dei log di SystemLook, Combofix ed OTL che ti avevo chiesto nel precedente messaggio
[^]

da **Alcatosto** » lun nov 07, 2011 1:59 pm

Allora intanto ti ringrazio per avermi aiutato a pulire il computer ! [grazie]

Per quanto riguarda i problemi qui di seguito ti posto i log che mi hai richiesto:

1- log di SystemLook :
- http://paste2.org/p/1763907

2- log di Otl :
- http://paste2.org/p/1763909

3- log di Combofix :
- Purtroppo non ho il log precedente di Combofix [acc2]

, è un problema risolvibile ?

P.S: Poiché il portatile in questione è stato acquistato insieme ad un altro identico, sono riuscito a trovare il "gemello" ovvero lo stesso DELL Latitude E5500 configurato esattamente allo stesso modo. Se copio la dll in questione

smgina.dll

non dovrei risolvere il problema del logon ?

Grazie sempre per l'aiuto ! [grazie]

ciao

www.MegaLab.it

Pc Totalmente Infetto

Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Re: Pc Totalmente Infetto

Chi c’è in linea