www.MegaLab.it

da **Alex_sbafone** » mar feb 13, 2007 11:29 am

Salve, buongiorno a tutti!
Sono disperato!!!!
ieri sera mi è arrivata una mail di S.Valentino da un nome conosciuto ma il cognome, sinceramente nn lo ricordavo... visto che quell'indirizzo l'ho dato più volte a ragazze conosciute la sera nei locali sono andato a cliccare.. immaginavo di trovare una cartolina virtuale o qualcosa del genere.. da quel momento sono iniziati i miei problemi!
Sono disperato perché sto lavorando alla mia tesi e la connessione ad internet,sicura mi è necessaria.
Ho bitdefender come antivirus, mi trova il file 11396-23[1].exe e lo etichetta come sospetto generic.malware.yd.C4855F10 nella cartella temporary internet file\content.IE5\XUN9HMW2
Tra i vari tentativi,ho cercato di cancellare io direttamente quel file ma la cartella content.IE5\XUN9HMW2 non è presente nel percorso indicato dal bitdefender...
Come lo tolgo?
Spero di essere stato chiaro e spero in una vostra celere risposta.
Mi devo laureare [cry+]

Vi ringrazio anticipatamente.
Alex

da **Alex_sbafone** » mar feb 13, 2007 11:33 am

Giusto x aggiungere un altro problema, mentre sono connesso sento strani rumori provenienti dalle casse del pc.... [8)]

come quando sei a telefono e alzano la cornetta da un'altra stanza.... AIUTATEMI!!!!!
Se può servire,la mia connessione è libero flat.
Grazie ancora.
Alex

da **crazy.cat** » mar feb 13, 2007 12:26 pm

Scarica l'ultima versione di Ccleaner e fai pulizia dei file temporanei di internet
http://www.filehippo.com/download_ccleaner/

Poi fai una scansione con hijackthis e posta qui il log della stessa scansione
http://www.MegaLab.it/2286

da **Alex_sbafone** » mar feb 13, 2007 1:54 pm

Carissimo,ti ringrazio x l'aiuto che mi dai.
Ho fatto come hai detto ma Ccleaner da 20 minuti sta ancora effettuando la pulizia (secondo me invano).
Ti incollo qui di seguito il .log

Logfile of HijackThis v1.99.1
Scan saved at 12.47.03, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
D:\WINDOWS\system32\rundll32.exe
D:\Programmi\Toshiba Controls\CpRmtKey.EXE
D:\Programmi\EzButton\CplBTQ00.EXE
D:\Programmi\Apoint2K\Apoint.exe
D:\Programmi\Softwin\BitDefender9\bdoesrv.exe
D:\Programmi\Softwin\BitDefender9\bdnagent.exe
D:\Programmi\Softwin\BitDefender9\bdswitch.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
D:\Programmi\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\system32\RAMASST.exe
D:\Programmi\Apoint2K\Apntex.exe
D:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\winlogon.exe
D:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
D:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
D:\DOCUME~1\Cin\IMPOST~1\Temp\zzoyba.exe
D:\Programmi\Softwin\BitDefender9\vsserv.exe
d:\programmi\softwin\bitdefender9\bdmcon.exe
D:\Programmi\MSN Messenger\usnsvc.exe
D:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\Programmi\CCleaner\ccleaner.exe
D:\Documents and Settings\Cin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CpRmtKey] "D:\Programmi\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CplBTQ00] D:\Programmi\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [Apoint] D:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [BDMCon] "D:\Programmi\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "D:\Programmi\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "d:\programmi\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "d:\programmi\softwin\bitdefender9\bdswitch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzoyba.exe] D:\DOCUME~1\Cin\IMPOST~1\Temp\zzoyba.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] D:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photocity.it/areaclienti/inv ... oader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{769C6ED1-B95B-4C14-AA2A-870140BB23D3}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - D:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Programmi\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

GRAZIE GRAZIE GRAZIE!!!!!

da **crazy.cat** » mar feb 13, 2007 2:04 pm

Parti in modalità provvisoria, oppure utilizza Unlocker per eliminare questo file
O4 - HKLM\..\Run: [zzoyba.exe] D:\DOCUME~1\Cin\IMPOST~1\Temp\zzoyba.exe
riavvia il pc e ripeti poi la pulizia con ccleaner che forse veniva bloccata da questo virus che era attivo.

controlla dopo il riavvio che non si riformi,

da **Alex_sbafone** » mar feb 13, 2007 2:49 pm

Ciao,grazie,ho fatto tutto.
Ora vediamo se si ripresenta.
Una curiosità:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
lo dovrei cancellare?

da **crazy.cat** » mar feb 13, 2007 2:51 pm

Alex_sbafone ha scritto:Una curiosità:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
lo dovrei cancellare?

si.

da **Alex_sbafone** » mar feb 13, 2007 6:20 pm

Dolenti note.....
Ho fatto più volte lo scan con l'antivirus e con cclean e nn hanno trovato nulla.
Mentre ero connesso, insospettito dalla lentezza del pc, ho controllato pochi minuti fa e mi ha ritrovato quel file .exe, il problema è che in modalità provvisoria hujackthis non l'ha più trovato.
Ho fatto anche uno scan in modalità provvisoria e ti riporto le stringhe.

Logfile of HijackThis v1.99.1
Scan saved at 17.03.43, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Cin\Desktop\hijackthis\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CpRmtKey] "D:\Programmi\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CplBTQ00] D:\Programmi\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [Apoint] D:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [BDMCon] "D:\Programmi\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "D:\Programmi\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "D:\Programmi\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "D:\Programmi\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] D:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photocity.it/areaclienti/inv ... oader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - D:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Programmi\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

da **Amantide** » mar feb 13, 2007 6:50 pm

Nell'epoca di rootkit Hijackthis si rileva sempre più inutile.
Fai la scansione con Systemscan, comprimi il file report.txt che si trova in c:\suspectfile in un archivio ed allegalo qui.

da **Alex_sbafone** » mar feb 13, 2007 8:14 pm

Ciao Amantide!
..anche qui problemi.. dopo lo scan appare scritto "windows script host"
"script: D:documenti\impostaz\temp\RarSFX2\cvrt.vbs
riga:97
Carattere: 1
Errore :Autorizzazione negata
Codice: 800A0046
Origine: Errore di run-time di Microsoft VBScript"

vado ad aprire il file report.txt ed è vuoto!!!!
Altro tentativo?

da **Amantide** » mar feb 13, 2007 10:33 pm

Vedi se riesci a fare la scansione dalla modalità provvisoria.

da **Alex_sbafone** » mer feb 14, 2007 1:54 am

Ciao, sei pronta al lungo elenco?

systemscan - www.suspectfile.com - ver. 2.0.23

Date: 14/02/2007
Time: 0.40.05,82

Output limited to:
-Recent files
-Registry Run Keys
-Running Services
-Not Running Services
-Device Driver Services
-Svchost.exe instances
-Loaded Dlls
-Alternate Data Sreams
-Encrypted Files
-Hidden objects
-Include hijackthis.log

-------------Users folders -------------

Directory di D:\documents and settings

27/01/2007 10.42 <DIR> All Users
13/02/2007 17.10 <DIR> Cin
27/01/2007 10.51 <DIR> Default User
27/01/2007 10.47 <DIR> LocalService
27/01/2007 10.47 <DIR> NetworkService

-------------Recent files (60 days) -------------
NOTE: searched only in D:, D:\WINDOWS, D:\WINDOWS\system32, D:\Programmi\File comuni, D:\WINDOWS\temp

Directory di D:\

13/02/2007 12.32 <DIR> Programmi
14/02/2007 00.40 <DIR> suspectfile
14/02/2007 00.37 <DIR> WINDOWS
27/01/2007 10.52 <DIR> Documents and Settings

Directory di D:\WINDOWS

27/01/2007 12.06 <DIR> WinSxS
27/01/2007 11.21 <DIR> addins
27/01/2007 10.41 <DIR> Web
27/01/2007 11.23 <DIR> twain_32
27/01/2007 11.25 <DIR> AppPatch
13/02/2007 18.31 <DIR> Temp
13/02/2007 09.55 <DIR> system32
27/01/2007 11.38 <DIR> system
27/01/2007 10.41 <DIR> srchasst
27/01/2007 11.21 <DIR> Config
27/01/2007 11.21 <DIR> Connection Wizard
27/01/2007 14.20 <DIR> SoftwareDistribution
27/01/2007 11.04 <DIR> SMSC
27/01/2007 11.20 <DIR> SHELLNEW
27/01/2007 10.38 <DIR> Cursors
13/02/2007 12.58 <DIR> Debug
27/01/2007 11.09 <DIR> security
27/01/2007 11.02 <DIR> Driver Cache
27/01/2007 11.25 <DIR> ehome
27/01/2007 11.21 <DIR> Resources
27/01/2007 10.43 <DIR> repair
27/01/2007 11.01 <DIR> Help
27/01/2007 10.42 <DIR> Registration
27/01/2007 10.43 <DIR> ime
27/01/2007 11.21 <DIR> Provisioning
27/01/2007 11.21 <DIR> java
13/02/2007 18.48 <DIR> Prefetch
27/01/2007 11.32 <DIR> Media
27/01/2007 11.25 <DIR> PeerNet
27/01/2007 11.25 <DIR> msagent
27/01/2007 11.21 <DIR> msapps
27/01/2007 11.20 <DIR> pchealth
27/01/2007 11.21 <DIR> mui
27/01/2007 11.02 <DIR> Options
27/01/2007 10.41 <DIR> Offline Web Pages
27/01/2007 11.01 <DIR> nview
14/02/2007 00.37 181.694 ntbtlog.txt
27/01/2007 11.21 424 ODBC.INI
27/01/2007 10.42 4.161 ODBCINST.INI
13/02/2007 18.17 69 NeroDigital.ini
13/02/2007 10.13 8.552 ModemLog_TOSHIBA Software Modem AMR.txt
05/02/2007 10.33 1.409 QTFont.for
27/01/2007 10.47 8.192 REGLOCS.OLD
14/02/2007 00.35 4.824 SchedLgU.Txt
27/01/2007 11.03 81 CpRmtKey.UNI
27/01/2007 11.04 73 CplBTQ00.UNI
27/01/2007 10.43 0 control.ini
13/02/2007 17.07 0 Sti_Trace.log
27/01/2007 11.30 231 system.ini
27/01/2007 10.39 36 vb.ini
27/01/2007 10.39 37 vbaddin.ini
14/02/2007 00.35 216 wiadebug.log
14/02/2007 00.35 50 wiaservc.log
13/02/2007 09.55 627 win.ini
14/02/2007 00.35 10.467 WindowsUpdate.log
13/02/2007 17.11 0 0.log
27/01/2007 10.43 316.640 WMSysPr9.prx

Directory di D:\WINDOWS\system32

27/01/2007 11.21 <DIR> wins
27/01/2007 11.21 <DIR> 1025
27/01/2007 11.21 <DIR> 1028
27/01/2007 11.21 <DIR> 1031
27/01/2007 11.22 <DIR> 1033
27/01/2007 11.21 <DIR> 1037
27/01/2007 11.23 <DIR> 1040
27/01/2007 11.21 <DIR> 1041
27/01/2007 11.21 <DIR> 1042
27/01/2007 11.21 <DIR> 1054
27/01/2007 10.43 <DIR> wbem
27/01/2007 11.25 <DIR> usmt
27/01/2007 11.21 <DIR> 2052
27/01/2007 11.21 <DIR> 3076
27/01/2007 11.21 <DIR> 3com_dmi
27/01/2007 10.36 <DIR> spool
27/01/2007 11.21 <DIR> ShellExt
27/01/2007 11.25 <DIR> Setup
13/02/2007 09.51 <DIR> Restore
27/01/2007 12.27 <DIR> ReinstallBackups
27/01/2007 11.23 <DIR> ras
27/01/2007 10.41 <DIR> oobe
27/01/2007 11.25 <DIR> npp
27/01/2007 11.21 <DIR> mui
27/01/2007 10.43 <DIR> xircom
27/01/2007 10.38 <DIR> MsDtc
05/02/2007 19.19 <DIR> Macromed
27/01/2007 10.56 <DIR> InsFiles
27/01/2007 11.21 <DIR> inetsrv
27/01/2007 11.21 <DIR> IME
27/01/2007 11.23 <DIR> icsxml
27/01/2007 10.42 <DIR> ias
27/01/2007 11.21 <DIR> export
27/01/2007 12.06 <DIR> DRVSTORE
08/02/2007 12.44 <DIR> drivers
27/01/2007 10.41 <DIR> DirectX
27/01/2007 11.21 <DIR> dhcp
27/01/2007 10.47 <DIR> config
27/01/2007 10.39 <DIR> Com
11/02/2007 11.41 <DIR> CatRoot2
27/01/2007 11.27 <DIR> CatRoot
27/01/2007 10.43 16.832 amcompat.tlb
14/02/2007 00.35 81.984 bdod.bin
27/01/2007 10.43 2.885 CONFIG.NT
27/01/2007 10.39 21.840 emptyregdb.dat
09/01/2007 18.46 10.752 ff_vfw.dll
27/01/2007 11.54 110.992 FNTCACHE.DAT
27/01/2007 11.57 17.464 GDIPFONTCACHEV1.DAT
13/02/2007 09.55 14 getfile.dat
27/01/2007 11.36 0 h323log.txt
27/01/2007 10.43 23.392 nscompat.tlb
27/01/2007 11.03 40.190 perfc009.dat
27/01/2007 11.03 47.790 perfc010.dat
27/01/2007 11.03 311.802 perfh009.dat
27/01/2007 11.03 345.248 perfh010.dat
27/01/2007 11.03 751.592 PerfStringBackup.INI
19/01/2007 12.53 51.056 sirenacm.dll
27/01/2007 12.00 73.728 sockspy.dll
27/01/2007 10.46 261 $winnt$.inf
20/01/2007 21.26 1.565.480 wmv9vcm.dll
10/02/2007 15.21 2.206 wpa.dbl
27/01/2007 11.59 77.824 xcomm.dll

Directory di D:\Programmi\File comuni

30/01/2007 10.50 <DIR> Adobe
27/01/2007 11.26 <DIR> Ahead
27/01/2007 11.20 <DIR> DESIGNER
05/02/2007 16.46 <DIR> InstallShield
30/01/2007 19.46 <DIR> Jasc Software Inc
27/01/2007 11.43 <DIR> Microsoft Shared
27/01/2007 10.40 <DIR> MSSoap
27/01/2007 11.30 <DIR> ODBC
27/01/2007 10.40 <DIR> Services
27/01/2007 11.12 <DIR> Softwin
27/01/2007 11.30 <DIR> SpeechEngines
27/01/2007 10.40 <DIR> System

Directory di D:\WINDOWS\temp

13/02/2007 18.43 <DIR> RarSFX0
13/02/2007 18.31 16.384 ~DF6E5C.tmp

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows-------------

[Windows]
"AppInit_DLLs"=""

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"Shell"="Explorer.exe"
"System"=""
"Userinit"="D:\WINDOWS\system32\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"forceunlocklogon"=dword:00000000
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=expand:"logonui.exe"
"LogonType"=dword:00000001
"Background"="0 0 0"
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001

[Winlogon\GPExtensions]

[Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Senza fili"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"DllName"=expand:"fdeploy.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Quota disco Microsoft"
"DllName"=expand:"dskquota.dll"

[Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="Utilità di pianificazione pacchetti QoS"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Script"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Mapping aree Internet Explorer"
"DllName"=expand:"iedkcs32.dll"

[Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"

[Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"iedkcs32.dll"
@="Personalizzazione Internet Explorer"

[Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
@="EFS recovery"

[Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\System32\cscui.dll"

[Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Installazione software"
"DllName"=expand:"appmgmts.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="Protezione IP"
"DllName"=expand:"gptext.dll"

[Winlogon\Notify]

[Winlogon\Notify\crypt32chain]
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[Winlogon\Notify\cryptnet]
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"StartShell"="WinlogonStartShellEvent"

[Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001

[Winlogon\Notify\Schedule]
"DllName"=expand:"wlnotify.dll"
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"DllName"=expand:"sclgntfy.dll"

[Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"

[Winlogon\Notify\termsrv]
"DllName"=expand:"wlnotify.dll"
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"

[Winlogon\SpecialAccounts]

[Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"ExcludeProfileDirs"="Impostazioni locali;Temporary Internet Files;Cronologia;Temp"
"BuildNumber"=dword:00000a28

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"AdslTaskBar"="rundll32.exe stmctrl.dll,TaskBar"
"NvCplDaemon"="RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"CpRmtKey"="\"D:\Programmi\Toshiba Controls\CpRmtKey.EXE\""
"CplBTQ00"="D:\Programmi\EzButton\CplBTQ00.EXE"
"Apoint"="D:\Programmi\Apoint2K\Apoint.exe"
"BDMCon"="\"D:\Programmi\Softwin\BitDefender9\bdmcon.exe\""
"BDOESRV"="\"D:\Programmi\Softwin\BitDefender9\bdoesrv.exe\""
"BDNewsAgent"="\"D:\Programmi\Softwin\BitDefender9\bdnagent.exe\""
"BDSwitchAgent"="\"D:\Programmi\Softwin\BitDefender9\bdswitch.exe\""
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe"

[Run\OptionalComponents]

[Run\OptionalComponents\IMAIL]
"Installed"="1"

[Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[Run\OptionalComponents\MSFS]
"Installed"="1"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

[RunOnce]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

[RunOnceEx]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe"
"TOSCDSPD"="D:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe"
"MsnMsgr"="\"D:\Programmi\MSN Messenger\MsnMsgr.Exe\" /background"

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects-------------

[Browser Helper Objects]

[Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
#### HKCR\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\InprocServer32 @="D:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

-------------HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks-------------

[URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
#### HKCR\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InprocServer32 @=expand:"%SystemRoot%\system32\shdocvw.dll"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-------------

[ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
#### HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InprocServer32 @="shell32.dll"

-------------HKLM\SYSTEM\ControlSet001\Control\Lsa-------------

[Lsa]
"Authentication Packages"=multi:"msv1_0\00\00"
"Bounds"=hex:00,30,00,00,00,20,00,00
"LsaPid"=dword:00000124
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=multi:"scecli\00\00"

[Lsa\AccessProviders]
"ProviderOrder"=multi:"Windows NT Access Provider\00\00"

[Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll"

[Lsa\Audit]

[Lsa\Audit\PerUserAuditing]

[Lsa\Audit\PerUserAuditing\System]

[Lsa\Data]
@Class="c0081b67"
"Pattern"=hex:78,11,67,31,e5,d2,d5,36,fe,3e,4e,3f,b1,1c,69,02,63,30,30,38,31,\
62,36,37,00,fd,07,00,76,08,00,00,34,fa,07,00,56,82,47,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,95,c2,96,60,da,e0,08,ab,bc,10,77,c0

[Lsa\GBG]
@Class="95e019da"
"GrafBlumGroup"=hex:3c,31,4d,1f,fe,e3,ef,ec,99

[Lsa\JD]
@Class="bc7760ab"
"Lookup"=hex:ac,d2,a7,ad,5a,92

[Lsa\Kerberos]

[Lsa\Kerberos\Domains]

[Lsa\Kerberos\SidCache]

[Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[Lsa\Skew1]
@Class="96c21048"
"SkewMatrix"=hex:71,05,07,65,f7,1a,11,59,af,e5,11,78,97,05,db,13

[Lsa\SSO]

[Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[Lsa\SspiCache]
"Time"=hex:a0,de,3d,91,01,42,c7,01

[Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"RpcId"=dword:0000ffff
"Time"=hex:00,e6,db,e6,f1,85,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"RpcId"=dword:00000011
"Time"=hex:00,c7,d1,ec,f1,85,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"RpcId"=dword:00000012
"Time"=hex:00,c7,d1,ec,f1,85,c4,01
"Type"=dword:00000031

-------------HKLM\SYSTEM\ControlSet001\Services\SharedAccess-------------

[SharedAccess]
"Description"="Fornisce servizi di conversione indirizzi di rete, indirizzamento e risoluzione nomi e/o servizi di prevenzione intrusione per una rete domestica o una piccola rete aziendale."
"DisplayName"="Windows Firewall / Condivisione connessione Internet (ICS)"
"ImagePath"=expand:"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[SharedAccess\Epoch]
"Epoch"=dword:00000250

[SharedAccess\Parameters]
"ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll"

[SharedAccess\Parameters\FirewallPolicy]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\Programmi\MSN Messenger\msncall.exe"="D:\Programmi\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"D:\Programmi\MSN Messenger\msnmsgr.exe"="D:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\Programmi\MSN Messenger\livecall.exe"="D:\Programmi\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\Programmi\MSN Messenger\msncall.exe"="D:\Programmi\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"D:\Programmi\eMule\emule.exe"="D:\Programmi\eMule\emule.exe:*:Enabled:eMule"
"D:\Programmi\MSN Messenger\msnmsgr.exe"="D:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\Programmi\MSN Messenger\livecall.exe"="D:\Programmi\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

-------------HKLM\Software\Microsoft\Ole-------------

[Ole]
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[Ole\AppCompat]

[Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

-------------HKEY_CLASSES_ROOT\exefile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\comfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\batfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\piffile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\scrFile\shell\open\command-------------

@="\"%1\" /S"

-------------HKEY_CLASSES_ROOT\htafile\shell\open\command-------------

@="D:\WINDOWS\system32\mshta.exe \"%1\" %*"

-------------HKEY_CLASSES_ROOT\logfile\shell\open\command-------------

-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler-------------

[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
#### HKCR\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InprocServer32 @=expand:"%SystemRoot%\system32\browseui.dll"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"
#### HKCR\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InprocServer32 @=expand:"%SystemRoot%\system32\browseui.dll"

-------------HKLM\Software\Microsoft\Active Setup\Installed Components-------------

[Installed Components]

[Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="D:\WINDOWS\system32\wmpdxm.dll"
"Stubpath"="D:\WINDOWS\inf\unregmp2.exe /ShowWMP"
@="Microsoft Windows Media Player"
"ComponentID"="WMPACCESS"

[Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
@="Internet Explorer"
"ComponentID"="IEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE"

[Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
@="Personalizzazione del browser"
"ComponentID"="BRANDING.CAB"
"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"

[Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
@="Outlook Express"
"ComponentID"="OEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE"

[Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
@="Rendering grafica vettoriale (VML)"
"ComponentID"="MSVML"

[Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
#### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="D:\WINDOWS\system32\wmpdxm.dll"
@=""
"ComponentID"="NetShow"
"StubPath"=""

[Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="D:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"=""
@="Microsoft Windows Media Player 6.4"

[Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
#### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="D:\WINDOWS\system32\danim.dll"
@="DirectAnimation"
"ComponentID"="DirectAnimation"

[Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="Themes Setup"
"ComponentID"="Theme Component"
"StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll"

[Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
@="Binding dati Dynamic HTML per Java"
"ComponentID"="TridataJava"

[Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]
@="Modulo ricerca non in linea"
"ComponentID"="MobilePk"

[Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
@="Uniscribe"
"ComponentID"="USP10"

[Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]
@="Creazione avanzata"
"ComponentID"="AdvAuth"

[Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft Outlook Express 6"
"ComponentID"="MailNews"
"CloneUser"=dword:00000001
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"

[Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
@="NetMeeting 3.01"
"ComponentID"="NetMeeting"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT"

[Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
@="DirectShow"
"ComponentID"="activemovie"

[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
@="DirectDrawEx"
"ComponentID"="DirectDrawEx"

[Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
@="Guida di Internet Explorer"
"ComponentID"="HelpCont"

[Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
@="Classi Java DirectAnimation"
"ComponentID"="DAJava"

[Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
@="Microsoft Windows Script 5.6"
"ComponentID"="MSVBScript"

[Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
"KeyFileName"="D:\Programmi\Messenger\msmsgs.exe"
@="Windows Messenger 4.7"
"ComponentID"="Messenger"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser"

[Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
"(Default)"="Internet Connection Wizard"
"ComponentID"="ICW"

[Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
@="Strumenti di installazione di Internet Explorer"
"ComponentID"="GenSetup"

[Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
@="Miglioramenti sfoglia"
"ComponentID"="ExtraPack"
"KeyFileName"="D:\WINDOWS\system32\msieftp.dll"

[Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
#### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="D:\WINDOWS\system32\wmp.dll"
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmp.inf,PerUserStub"

[Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
@="Accesso sito MSN"
"ComponentID"="MSN_Auth"

[Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
@="Web Folders"
"ComponentID"="WebFolders"
"StubPath"=""

[Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
@="Rubrica 6"
"ComponentID"="WAB"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
@="Windows Desktop Update"
"ComponentID"="IE4Shell_NT"
"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
@="Internet Explorer 6"
"ComponentID"="BASEIE40_W2K"
"StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix]

[Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
@="Binding dati Dynamic HTML"
"ComponentID"="Tridata"

[Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}]

[Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]
@="Font principali di Internet Explorer"
"ComponentID"="Fontcore"

[Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
@="Utilità di pianificazione"
"ComponentID"="MSTASK"

[Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
"ComponentID"="Windows Movie Maker v2.1"

[Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@="Adobe Flash Player 9 ActiveX"
"ComponentID"="Flash"

[Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
@="Guida HTML"
"ComponentID"="HTMLHelp"

[Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]
@="Active Directory Service Interface"
"ComponentID"="ADSI"

-------------Comparing registry keys CCS1 vs CCS2 -------------
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\ACPI\Parameters AMLIMaxCTObjs REG_BINARY 05000000
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\ACPI\Parameters AMLIMaxCTObjs REG_BINARY 04000000
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\ACPI\Parameters\WakeUp GenericEventStatus REG_BINARY 0000FFDE
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\ACPI\Parameters\WakeUp GenericEventStatus REG_BINARY 0300FFCE
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {769C6ED1-B95B-4C14-AA2A-870140BB23D3} REG_BINARY 0F0000000000000000000000000000005749D245F9000000000000000000000.....
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Dhcp\Parameters {769C6ED1-B95B-4C14-AA2A-870140BB23D3} REG_BINARY 0F0000000000000000000000000000004CB2D145F900000000000000000000..........
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Spooler
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\mssmbios\Data
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfDisk\Performance WbemAdapFileSignature REG_BINARY A369538A629E1F7C2EF8D18E6F9CBDB1
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfDisk\Performance WbemAdapFileTime REG_BINARY 002134EFF185C401
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfDisk\Performance WbemAdapFileSize REG_DWORD 27136 (0x6A00)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfDisk\Performance WbemAdapStatus REG_DWORD 0 (0x0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfNet\Performance WbemAdapFileSignature REG_BINARY 40234F0365CD9D92CEE459FE58FD1025
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfNet\Performance WbemAdapFileTime REG_BINARY 0058179B2D32C101
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfNet\Performance WbemAdapFileSize REG_DWORD 17408 (0x4400)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfNet\Performance WbemAdapStatus REG_DWORD 0 (0x0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfOS\Performance WbemAdapFileSignature REG_BINARY 4967673E8ED0786F88E2CB58786FAE7E
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfOS\Performance WbemAdapFileTime REG_BINARY 002134EFF185C401
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfOS\Performance WbemAdapFileSize REG_DWORD 26624 (0x6800)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfOS\Performance WbemAdapStatus REG_DWORD 0 (0x0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfProc\Performance WbemAdapFileSignature REG_BINARY C903E30BDB77AB0C730237F270EC3F90
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfProc\Performance WbemAdapFileTime REG_BINARY 002134EFF185C401
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfProc\Performance WbemAdapFileSize REG_DWORD 35840 (0x8C00)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\PerfProc\Performance WbemAdapStatus REG_DWORD 0 (0x0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Schedule NextAtJobId REG_DWORD 2 (0x2)
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Schedule NextAtJobId REG_DWORD 1 (0x1)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Schedule AtTaskMaxHours REG_DWORD 72 (0x48)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 592 (0x250)
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\SharedAccess\Epoch Epoch REG_DWORD 522 (0x20A)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Spooler\Performance WbemAdapFileSignature REG_BINARY A357128EEA84698DCF3ED33E521292CC
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Spooler\Performance WbemAdapFileTime REG_BINARY 0097E4FFF185C401
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Spooler\Performance WbemAdapFileSize REG_DWORD 146944 (0x23E00)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Spooler\Performance WbemAdapStatus REG_DWORD 0 (0x0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\TapiSrv\Performance WbemAdapFileSignature REG_BINARY B5D91042119372579F52237AFBA5AE7F
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\TapiSrv\Performance WbemAdapFileTime REG_BINARY 0058179B2D32C101
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\TapiSrv\Performance WbemAdapFileSize REG_DWORD 5632 (0x1600)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\TapiSrv\Performance WbemAdapStatus REG_DWORD 0 (0x0)

Result compared: Different

-------------Comparing registry keys CCS1 vs CCS3 -------------
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services

Result compared: Identical

-------------List of running services -------------

000) "CryptSvc" - Servizi di crittografia
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

001) "DcomLaunch" - Utilità di avvio processo server DCOM
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost -k DcomLaunch

002) "dmserver" - Gestione dischi logici
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

003) "Eventlog" - Registro eventi
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\services.exe

004) "helpsvc" - Guida in linea e supporto tecnico
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

005) "PlugPlay" - Plug and Play
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\services.exe

006) "RpcSs" - RPC (Remote Procedure Call)
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost -k rpcss

007) "winmgmt" - Strumentazione gestione Windows
---> STAT = (RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

..:: BOOT REGISTRY ::..

0) "AdslTaskBar"
---> CMD = rundll32.exe stmctrl.dll,TaskBar
---> FILE = D:\WINDOWS\system32\rundll32.exe stmctrl.dll,TaskBar

1) "NvCplDaemon"
---> CMD = RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
---> FILE = (NOT EXISTS)

2) "nwiz"
---> CMD = nwiz.exe /install
---> FILE = nwiz.exe /install

3) "CpRmtKey"
---> CMD = "D:\Programmi\Toshiba Controls\CpRmtKey.EXE"
---> FILE = D:\Programmi\Toshiba Controls\CpRmtKey.EXE

4) "CplBTQ00"
---> CMD = D:\Programmi\EzButton\CplBTQ00.EXE
---> FILE = D:\Programmi\EzButton\CplBTQ00.EXE

5) "Apoint"
---> CMD = D:\Programmi\Apoint2K\Apoint.exe
---> FILE = D:\Programmi\Apoint2K\Apoint.exe

6) "BDMCon"
---> CMD = "D:\Programmi\Softwin\BitDefender9\bdmcon.exe"
---> FILE = D:\Programmi\Softwin\BitDefender9\bdmcon.exe

7) "BDOESRV"
---> CMD = "D:\Programmi\Softwin\BitDefender9\bdoesrv.exe"
---> FILE = D:\Programmi\Softwin\BitDefender9\bdoesrv.exe

8) "BDNewsAgent"
---> CMD = "D:\Programmi\Softwin\BitDefender9\bdnagent.exe"
---> FILE = D:\Programmi\Softwin\BitDefender9\bdnagent.exe

9) "BDSwitchAgent"
---> CMD = "D:\Programmi\Softwin\BitDefender9\bdswitch.exe"
---> FILE = D:\Programmi\Softwin\BitDefender9\bdswitch.exe

10) "NeroFilterCheck"
---> CMD = D:\WINDOWS\system32\NeroCheck.exe
---> FILE = D:\WINDOWS\system32\NeroCheck.exe

-------------List of NOT running services -------------

000) "Alerter" - Avvisi
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\system32\svchost.exe -k LocalService

001) "ALG" - Servizio Gateway di livello applicazione
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\alg.exe

002) "AppMgmt" - Gestione applicazione
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

003) "AudioSrv" - Audio Windows
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

004) "bdss" - BitDefender Scan Server
---> STAT = (NOT RUNNING) Started automatically
---> FILE = "D:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service

005) "BITS" - Servizio trasferimento intelligente in background
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

006) "Browser" - Browser di computer
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

007) "CiSvc" - Servizio di indicizzazione
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\cisvc.exe

008) "ClipSrv" - ClipBook
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\system32\clipsrv.exe

009) "COMSysApp" - Applicazione di sistema COM+
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

010) "Dhcp" - Client DHCP
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

011) "dmadmin" - Servizio amministrativo di Gestione disco logico
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\dmadmin.exe /com

012) "Dnscache" - Client DNS
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k NetworkService

013) "DVD-RAM_Service" - DVD-RAM_Service
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\DVDRAMSV.exe

014) "ERSvc" - Servizio di segnalazione errori
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

015) "EventSystem" - Sistema di eventi COM+
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

016) "FastUserSwitchingCompatibility" - Compatibilità di Cambio rapido utente
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

017) "HidServ" - Accesso periferica Human Interface
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

018) "HTTPFilter" - SSL HTTP
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost.exe -k HTTPFilter

019) "ImapiService" - Servizio COM di masterizzazione CD IMAPI
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\imapi.exe

020) "Irmon" - Monitor infrarossi
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

021) "lanmanserver" - Server
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

022) "lanmanworkstation" - Workstation
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

023) "LIVESRV" - BitDefender Desktop Update Service
---> STAT = (NOT RUNNING) Started automatically
---> FILE = "D:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service

024) "LmHosts" - Helper NetBIOS di TCP/IP
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k LocalService

025) "Messenger" - Messenger
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

026) "mnmsrvc" - Condivisione desktop remoto di NetMeeting
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\mnmsrvc.exe

027) "MSDTC" - Distributed Transaction Coordinator
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\msdtc.exe

028) "MSIServer" - Windows Installer
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\msiexec.exe /V

029) "NetDDE" - DDE di rete
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\system32\netdde.exe

030) "NetDDEdsdm" - DDE DSDM di rete
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\system32\netdde.exe

031) "Netlogon" - Accesso rete
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\lsass.exe

032) "Netman" - Connessioni di rete
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

033) "Nla" - NLA (Network Location Awareness)
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

034) "NtLmSsp" - Provider supporto protezione LM NT
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\lsass.exe

035) "NtmsSvc" - Archivi rimovibili
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

036) "NVSvc" - NVIDIA Driver Helper Service
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\nvsvc32.exe

037) "ose" - Office Source Engine
---> STAT = (NOT RUNNING) Started manually
---> FILE = "D:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE"

038) "PolicyAgent" - Servizi IPSEC
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\lsass.exe

039) "ProtectedStorage" - Archiviazione protetta
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\lsass.exe

040) "RasAuto" - Auto Connection Manager di Accesso remoto
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

041) "RasMan" - Connection Manager di Accesso remoto
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

042) "RDSessMgr" - Gestione sessione di assistenza mediante desktop remoto
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\sessmgr.exe

043) "RemoteAccess" - Routing e Accesso remoto
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

044) "RemoteRegistry" - Registro di sistema remoto
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k LocalService

045) "RpcLocator" - RPC Locator
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\locator.exe

046) "RSVP" - QoS RSVP
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\rsvp.exe

047) "SamSs" - Gestione account di protezione (SAM)
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\lsass.exe

048) "SCardSvr" - smart card
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\SCardSvr.exe

049) "Schedule" - Utilità di pianificazione
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

050) "seclogon" - Accesso secondario
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

051) "SENS" - Notifica eventi di sistema
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

052) "SharedAccess" - Windows Firewall / Condivisione connessione Internet (ICS)
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

053) "ShellHWDetection" - Rilevamento hardware shell
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

054) "Spooler" - Spooler di stampa
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\spoolsv.exe

055) "srservice" - Servizio Ripristino configurazione di sistema
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

056) "SSDPSRV" - Servizio di rilevamento SSDP
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k LocalService

057) "stisvc" - Acquisizione di immagini di Windows (WIA)
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k imgsvc

058) "SwPrv" - MS Software Shadow Copy Provider
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\dllhost.exe /Processid:{CF2AF6D8-A997-47FE-8E56-E8A7134C61E4}

059) "SysmonLog" - Avvisi e registri di prestazioni
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\smlogsvc.exe

060) "TapiSrv" - Telefonia
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

061) "TermService" - Servizi terminal
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost -k DComLaunch

062) "Themes" - Temi
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

063) "TlntSvr" - Telnet
---> STAT = (NOT RUNNING) Disabled
---> FILE = D:\WINDOWS\system32\tlntsvr.exe

064) "TrkWks" - Manutenzione collegamenti distribuiti client
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

065) "upnphost" - Host di periferiche Plug and Play universali
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\svchost.exe -k LocalService

066) "UPS" - Gruppo di continuità
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\ups.exe

067) "usnjsvc" - Servizio Messenger Sharing Folders USN Journal Reader
---> STAT = (NOT RUNNING) Started manually
---> FILE = "D:\Programmi\MSN Messenger\usnsvc.exe"

068) "VSS" - Copia replicata del volume
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\vssvc.exe

069) "VSSERV" - BitDefender Virus Shield
---> STAT = (NOT RUNNING) Started automatically
---> FILE = "D:\Programmi\Softwin\BitDefender9\vsserv.exe" /service

070) "W32Time" - Ora di Windows
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

071) "WebClient" - WebClient
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k LocalService

072) "WmdmPmSN" - Servizio Numero di serie per dispositivi multimediali portatili
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

073) "Wmi" - Estensioni driver di Strumentazione gestione Windows
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

074) "WmiApSrv" - Scheda WMI Performance
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\system32\wbem\wmiapsrv.exe

075) "wscsvc" - Centro sicurezza PC
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

076) "wuauserv" - Aggiornamenti automatici
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\system32\svchost.exe -k netsvcs

077) "WZCSVC" - Zero Configuration reti senza fili
---> STAT = (NOT RUNNING) Started automatically
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

078) "XCOMM" - BitDefender Communicator
---> STAT = (NOT RUNNING) Started automatically
---> FILE = "D:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service

079) "xmlprov" - Servizio Provisioning di rete
---> STAT = (NOT RUNNING) Started manually
---> FILE = D:\WINDOWS\System32\svchost.exe -k netsvcs

-------------List of running device driver services -------------

000) "ACPI" - Driver ACPI Microsoft
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\ACPI.sys

001) "ACPIEC" - Driver del controller integrato Microsoft
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\ACPIEC.sys

002) "agp440" - Filtro bus Intel AGP
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\agp440.sys

003) "ApfiltrService" - Alps Pointing-device Filter Driver
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\Apfiltr.sys

004) "atapi" - Controller disco rigido IDE/ESDI standard
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\atapi.sys

005) "Beep" - Beep
---> STAT = (RUNNING) Started by "IoInitSystem" function

006) "Cdrom" - Driver del CD-ROM
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\cdrom.sys

007) "Compbatt" - Driver della batteria composita Microsoft
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\compbatt.sys

008) "Disk" - Driver del disco
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\disk.sys

009) "DKbFltr" - Dritek HotKey Keyboard Filter Driver
---> STAT = (RUNNING) Started manually
---> FILE = System32\Drivers\DKbFltr.sys

010) "dmio" - Driver Gestione dischi logici
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\System32\drivers\dmio.sys

011) "dmload" - dmload
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\System32\drivers\dmload.sys

012) "Fdc" - Driver controller disco floppy
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\fdc.sys

013) "FltMgr" - FltMgr
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\fltMgr.sys

014) "Ftdisk" - Driver archiviazione volumi
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\ftdisk.sys

015) "hidusb" - Driver di classe HID Microsoft
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\hidusb.sys

016) "i8042prt" - Driver di porta mouse PS/2 e tastiera i8042
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\i8042prt.sys

017) "Imapi" - Driver filtro masterizzazione CD
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\imapi.sys

018) "IntelIde" - IntelIde
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\intelide.sys

019) "isapnp" - Driver bus PnP ISA/EISA
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\isapnp.sys

020) "Kbdclass" - Driver classe tastiera
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\kbdclass.sys

021) "KSecDD" - KSecDD
---> STAT = (RUNNING) Started by operating system loader

022) "meiudf" - meiudf
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = System32\Drivers\meiudf.sys

023) "Mouclass" - Driver classe mouse
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\mouclass.sys

024) "mouhid" - Driver di mouse HID
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\mouhid.sys

025) "MountMgr" - MountMgr
---> STAT = (RUNNING) Started by operating system loader

026) "Msfs" - Msfs
---> STAT = (RUNNING) Started by "IoInitSystem" function

027) "mssmbios" - Driver BIOS Microsoft System Management
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\mssmbios.sys

028) "Mup" - Mup
---> STAT = (RUNNING) Started by operating system loader

029) "NDIS" - Driver di sistema NDIS
---> STAT = (RUNNING) Started by operating system loader

030) "Npfs" - Npfs
---> STAT = (RUNNING) Started by "IoInitSystem" function

031) "Ntfs" - Ntfs
---> STAT = (RUNNING) Disabled

032) "Null" - Null
---> STAT = (RUNNING) Started by "IoInitSystem" function

033) "ohci1394" - Controller host Texas Instruments IEEE 1394 compatibile OHCI
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\ohci1394.sys

034) "PartMgr" - PartMgr
---> STAT = (RUNNING) Started by operating system loader

035) "PCI" - Driver bus PCI
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\pci.sys

036) "PCIIde" - PCIIde
---> STAT = (RUNNING) Started by operating system loader

037) "Pcmcia" - Pcmcia
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\pcmcia.sys

038) "rdpdr" - Driver redirector periferica Terminal Server
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\rdpdr.sys

039) "redbook" - Driver filtro riproduzione CD-ROM audio digitale
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\redbook.sys

040) "swenum" - Driver bus software
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\swenum.sys

041) "TermDD" - Driver della periferica terminale
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\termdd.sys

042) "Udfs" - Udfs
---> STAT = (RUNNING) Disabled

043) "Update" - Driver aggiornamento microcodice
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\update.sys

044) "usbehci" - Driver Miniport controller enhanced host USB 2.0 Microsoft
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\usbehci.sys

045) "usbhub" - Hub abilitato USB2
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\usbhub.sys

046) "usbuhci" - Driver Miniport Controller Universal Host USB Microsoft
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\usbuhci.sys

047) "VgaSave" - VgaSave
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = \SystemRoot\System32\drivers\vga.sys

048) "VolSnap" - VolSnap
---> STAT = (RUNNING) Started by operating system loader

-------------List of NOT running device driver services -------------

000) "abp480n5" - abp480n5
---> STAT = (NOT RUNNING) Disabled

001) "adpu160m" - adpu160m
---> STAT = (NOT RUNNING) Disabled

002) "aec" - Eliminatore di eco acustico del kernel Microsoft
---> STAT = (NOT RUNNING) Started manually
---> FILE = system32\drivers\aec.sys

003) "AFD" - AFD
---> STAT = (NOT RUNNING) Started by "IoInitSystem" function
---> FILE = \SystemRoot\System32\drivers\afd.sys

004) "Aha154x" - Aha154x
---> STAT = (NOT RUNNING) Disabled

005) "aic78u2" - aic78u2
---> STAT = (NOT RUNNING) Disabled

006) "aic78xx" - aic78xx
---> STAT = (NOT RUNNING) Dis

da **Amantide** » mer feb 14, 2007 1:02 pm

Chissa come mai ti avevo chiesto di comprimere il log in un archivio e solo poi allegarlo al post? [fischio]

Il fatto stà che a causa dell'eccessiva lunghezza del log, l'ultima parte è stata persa, quindi mi dovresti allegare il log intero in forma di un archivio zippato.

Intanto scarica The Avenger, estrai archivio in una cartella ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla queste script:

Files to delete:
D:\WINDOWS\temp\~DF6E5C.tmp
D:\Documents and Settings\Cin\Impostazioni locali\Temp\zzoyba.exe
D:\Documents and Settings\Default User\Impostazioni locali\Temporary Internet Files\Content.IE5\XUN9HMW2\11396-23[1].exe

folders to delete:
D:\WINDOWS\temp\RarSFX0
D:\Documents and Settings\Cin\Impostazioni locali\Temp\RarSFX2
D:\Documents and Settings\Cin\Impostazioni locali\Temp\RarSFX1
D:\Documents and Settings\Cin\Impostazioni locali\Temp\RarSFX0

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | zzoyba.exe

Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

da **Alex_sbafone** » mer feb 14, 2007 4:01 pm

Ciao, hai ragione!te lo posto subito
Avenger lo devo far girare in modalità provvisoria o normale?
Poi ti volevo dire che ieri sera mentre usavo la modalità provvisoria ho provato a riusare ccleaner.. da allora non mi compare più zzoyba.exe!nn so se è veramente andato via perché il pc ora si sconnette da solo in continuazione....
Fammi sapere x avenger.Grazie

da **Amantide** » mer feb 14, 2007 4:55 pm

Usando CCleaner dalla modalità provisoria si riesce a svuotare le cartelle di file temporanei anche dai file più ostinati. Il problema è che se non viene eliminato il file "principale" non servirà a nulla a ripulire le cartelle temp. Oramai siamo arrivati alla versione 4 della cartella RarSFX* (RarSFX4), ciò vuol dire che i file temporanei sono stati eliminati per 4 volte e quella cartella è stata rigenerata già per la quinta volta.

Esegui questo script, indifferente se dalla modalità normale o provvisoria, e rifai una nuova pulizia con CCleaner dalla modalità provvisoria.

Files to delete:
D:\WINDOWS\temp\~DF6E5C.tmp
D:\Documents and Settings\Default User\Impostazioni locali\Temporary Internet Files\Content.IE5\XUN9HMW2\11396-23[1].exe

folders to delete:
D:\WINDOWS\temp\RarSFX0
D:\Documents and Settings\Cin\Impostazioni locali\Temp\RarSFX4

da **Alex_sbafone** » mer feb 14, 2007 6:29 pm

Fatto!
Questo è il .txt di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ptnaweru

*******************

Script file located at: \??\D:\podrfgla.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

File D:\WINDOWS\temp\~DF6E5C.tmp not found!
Deletion of file D:\WINDOWS\temp\~DF6E5C.tmp failed!

Could not process line:
D:\WINDOWS\temp\~DF6E5C.tmp
Status: 0xc0000034

Could not open file D:\Documents and Settings\Default User\Impostazioni locali\Temporary Internet Files\Content.IE5\XUN9HMW2\11396-23[1].exe for deletion
Deletion of file D:\Documents and Settings\Default User\Impostazioni locali\Temporary Internet Files\Content.IE5\XUN9HMW2\11396-23[1].exe failed!

Could not process line:
D:\Documents and Settings\Default User\Impostazioni locali\Temporary Internet Files\Content.IE5\XUN9HMW2\11396-23[1].exe
Status: 0xc000003a

Folder D:\WINDOWS\temp\RarSFX0 not found!
Deletion of folder D:\WINDOWS\temp\RarSFX0 failed!

Could not process line:
D:\WINDOWS\temp\RarSFX0
Status: 0xc0000034

Folder D:\Documents and Settings\Cin\Impostazioni locali\Temp\RarSFX4 not found!
Deletion of folder D:\Documents and Settings\Cin\Impostazioni locali\Temp\RarSFX4 failed!

Could not process line:
D:\Documents and Settings\Cin\Impostazioni locali\Temp\RarSFX4
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

da **Alex_sbafone** » mer feb 14, 2007 7:16 pm

Ciao!
Allora ti aggiorno:
dopo averti scritto l'ultimo messaggio ho riavviato in modalità provvisoria, ho usato ccleaner e poi syatemscan.
Ti allego il file zippato.
Ho poi riavviato il pc e continua a sconnettersi ogni 3-4 minuti.. proprio ogni volta che bitdefender stoppa il file €sqkaa.exe che cerca di connettersi a internet e ha come icona la stessa di 11396-23[1].exe e di zzoyba.exe!!!
Sono già 6 volte che tento di scriverti e allegarti il file e il pc si sconnette poco prima che io ci riesca.
AIUTAMI!!!!

da **Amantide** » mer feb 14, 2007 8:18 pm

Fai una cosa... fai la scansione con Gmer delle sezioni Autostart e Rootkit spuntando la voce Show all e posta qui i log (tasto Copy e poi incolli qui). Cosi dopo analizzo tutto e vediamo se riusciamo a scovare 'sto maledetto virus. [;)]

da **Alex_sbafone** » mer feb 14, 2007 8:51 pm

guarda il file

da **Amantide** » mer feb 14, 2007 10:00 pm

Esegui questo script, forse questa volta ci siamo [acc2]

:

Files to delete:
d:\windows\system32\csrakyhf.exe
D:\DOCUME~1\Cin\IMPOST~1\Temp\€sqkaa.exe
D:\DOCUME~1\Cin\IMPOST~1\Temp\*.*
D:\DOCUME~1\Cin\IMPOST~1\Temp\RarSFX0\runme.exe
D:\DOCUME~1\Cin\IMPOST~1\Temp\RarSFX0\LISTDLLS.exe

folders to delete:
D:\DOCUME~1\Cin\IMPOST~1\Temp\RarSFX0

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | csrakyhf

www.MegaLab.it

virus malware 11396-23[1].exe

virus malware 11396-23[1].exe

Chi c’è in linea