Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

H*jackhis imballatissimo ,non parte e chiude browser

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

H*jackhis imballatissimo ,non parte e chiude browser

Messaggioda eternauta » mar mar 13, 2007 4:12 pm

H+jackthis è imballato ,non posso scrivere la parola sul browser perché si blocca.
Cosa ancora piu' incredibile si blocca anche quando vado sul forum a leggere i post dedicatigli.
Fra gli atri tentativi che ho fatto l'ho rinominato ma non è cambiato nulla.
Ho provato con una vecchia versione di cwshredder ma niente (la 2).
Ho provato con avg ,niente.
Con Virit ha prodotto solo risultati marginali:
VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
VIRUS ATTIVO IN MEMORIA: Trojan.Win32.RootKit.G
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
13/03/2007 - 14:10:11

[SCANSIONE DEL REGISTRO]
{2a6af021-17a2-4014-8624-cf6015f82fad} Infetto da BHO.Agent.BA
* * * RIMOSSO * * *

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
Naturalmente ho scansionato l'intero disco ma niente.
Non rieco a scaricare neanche Avenger che non so cosa sia ,ma da qualche parte ho letto che è utile.(se digito il nome il browser si chiude)
Sono fermo al punto di partenza [!!!]
Avatar utente
eternauta
Neo Iscritto
Neo Iscritto
 
Messaggi: 16
Iscritto il: lun feb 05, 2007 7:13 pm

Messaggioda crazy.cat » mar mar 13, 2007 4:55 pm

scaricati gmer da questo indirizzo (premi il pulsante start download)
http://www.mediafire.com/?dytmw0ww0qj
non fare caso perché gli ho cambiato nome.
Premi il tasto con le >>> e ti sposti nella sezione autostart, metti il flag su show all e fai lo scan alla fine posti qui il log che ne esce.
Devi premere il pulsante copy e poi lo incolli qui nella discussione.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda Amantide » mar mar 13, 2007 5:01 pm

Temo che non riuscirà ad usare nemmeno questo Gmer, oramai le ultime versioni di Gromozon non fanno solo il controllo del nome del programma.

Apri il task manager (Ctrl+Alt+Canc (Del)) e controlla bene tutti i processi, ci dev' essere 1 o 2 processi con i nome strani del software o hardware che non hai sul pc, i file contenenti le parole simili nel nome: norton, symantec, toshiba, lexmark ecc.

Terminato/i questo processo/i potrai avviare il Hijackthis e fare la scansione per poter postare qui il suo log.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Messaggioda eternauta » mar mar 13, 2007 6:53 pm

grazie ma in memoria non c'è nulla di anormale, e gmer si blocca. [!!!]
ho provato ha terminare alcuni processi evidentemente corretti ,ma non ha funzionato il virus non sembra mascherato.
Avatar utente
eternauta
Neo Iscritto
Neo Iscritto
 
Messaggi: 16
Iscritto il: lun feb 05, 2007 7:13 pm

Messaggioda Amantide » mar mar 13, 2007 7:06 pm

Prova allora cosi.
Apri il registro di sistema (Start--> Esegui--> scrivi regedit), tramite espansione delle schede arriva fino alla chiave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon e nella scheda a destra trova la voce UserInit. Fai il doppio click sopra, nella riga Dati valori ci dev'essere un valore che inizia con C:\WINDOWS\system32\userinit.exe,. Se dopo questa riga si trovano i nomi degli altri file, annota il loro nome ed il percorso e prova ad eliminarli con l'aiuto di AGVPFIX.

P.S. Fai attenzione a non eliminare nulla nel registro.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda eternauta » mar mar 13, 2007 7:34 pm

grazie ancora,
dopo userinit ci sono solo due nomi che non mi sembra facciano al mio caso
vmApplet con valore rundll32 shell32 ,control_rundll"sysdm.cpl"
winstationdisabled con valore 0
Avatar utente
eternauta
Neo Iscritto
Neo Iscritto
 
Messaggi: 16
Iscritto il: lun feb 05, 2007 7:13 pm

Messaggioda Amantide » mar mar 13, 2007 7:39 pm

eternauta ha scritto:grazie ancora,
dopo userinit ci sono solo due nomi che non mi sembra facciano al mio caso
vmApplet con valore rundll32 shell32 ,control_rundll"sysdm.cpl"
winstationdisabled con valore 0

Non devi guardare i valori dopo userinit, ma devi guardare proprio il valore di userinit, cioè la parte del valore UserInit che si vede nella colonna Dati.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda eternauta » mar mar 13, 2007 7:42 pm

c'è scritto :C:\WINDOWS\SYSTEM32\Userinit.exe,
riporto testualmente
Avatar utente
eternauta
Neo Iscritto
Neo Iscritto
 
Messaggi: 16
Iscritto il: lun feb 05, 2007 7:13 pm

Messaggioda Amantide » mar mar 13, 2007 8:40 pm

Strano [uhm]

Scarica su desktop questo file ed avvialo http://www.bleepingcomputer.com/files/o ... npfind.exe
Sempre su desktop ti si creerà la cartella chiamata WinPFind.
Avvia il pc in modalità provvisoria (premendo F8 all'avvio), apri la cartella WinPFind ed esegui il file WinPFind.exe. Clicca su Start scan ed aspetta il termine della scansione.
A scansione terminata riavvia il pc in modalità normale, trova nella cartella WinPFind il file winpfind.txt ed allegalo qui come allegato.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda eternauta » mar mar 13, 2007 10:10 pm

Ho fatto la scansione con le impostazioni pre-impostate e non riesco ad allegare il file perciò ti chiedo scusa ma lo inserisco in un post
se dovesse non bastare dimmello , ne ho fatta un' altra completa ma eventualmente credo dovresti spiegarmi come allegare i files (in carica un file mi dice che non puo trasferire il formato txt e neanche nel formato tst che mi ero inventato)

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Documents and Settings\cosimo\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(Adobe LM Service) Adobe LM Service [Win32_Own | Disabled | Stopped]
= C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)

(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Stopped]
= C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)

(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped]
= C:\WINDOWS\system32\ati2sgag.exe ()

(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Stopped]
= C:\Programmi\Grisoft\AVG Free\avgamsvr.exe (GRISOFT, s.r.o.)

(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Stopped]
= C:\Programmi\Grisoft\AVG Free\avgupsvc.exe (GRISOFT, s.r.o.)

(dmadmin) Servizio amministrativo di Gestione disco logico [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(EpsonBidirectionalService) EpsonBidirectionalService [Win32_Own | Auto | Stopped]
= C:\Programmi\File comuni\EPSON\EBAPI\eEBSvc.exe ()

(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped]
= C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe (Intel(R) Corporation)

(viritsvclite) Virit eXplorer Lite [Win32_Own | Auto | Stopped]
= C:\VEXPLITE\VIRITSVC.EXE (TG Soft Sas www.tgsoft.it)

»»»»»»»»»»»»»»»»»»»» Driver Services (Non-Microsoft) »»»»»»»»»»

(a347bus) a347bus [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\a347bus.sys ( )

(a347scsi) a347scsi [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\a347scsi.sys ( )

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped]
= (File not found)

(abp480n5) abp480n5 [Kernel | Disabled | Stopped]
= (File not found)

(ADIHdAudAddService) ADI UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)

(adpu160m) adpu160m [Kernel | Disabled | Stopped]
= (File not found)

(AEAudioService) AEAudio Service [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)

(Aha154x) Aha154x [Kernel | Disabled | Stopped]
= (File not found)

(aic78u2) aic78u2 [Kernel | Disabled | Stopped]
= (File not found)

(aic78xx) aic78xx [Kernel | Disabled | Stopped]
= (File not found)

(alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN) [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\alcan5wn.sys (THOMSON)

(alcaudsl) SpeedTouch ADSL Modem ATM Transport [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\alcaudsl.sys (THOMSON)

(AliIde) AliIde [Kernel | Disabled | Stopped]
= (File not found)

(amsint) amsint [Kernel | Disabled | Stopped]
= (File not found)

(asc) asc [Kernel | Disabled | Stopped]
= (File not found)

(asc3350p) asc3350p [Kernel | Disabled | Stopped]
= (File not found)

(asc3550) asc3550 [Kernel | Disabled | Stopped]
= (File not found)

(aslm75) aslm75 [Kernel | System | Stopped]
= C:\WINDOWS\system32\drivers\ASLM75.SYS ()

(Aspi32) Aspi32 [Kernel | Auto | Stopped]
= C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)

(atapi) Controller disco rigido IDE/ESDI standard [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\atapi.sys ()

(Atdisk) Atdisk [Kernel | Disabled | Stopped]
= (File not found)

(ati2mtag) ati2mtag [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

(Avg7Core) AVG7 Kernel [Kernel | System | Stopped]
= C:\WINDOWS\system32\drivers\avg7core.sys (GRISOFT, s.r.o.)

(Avg7RsW) AVG7 Wrap Driver [Kernel | System | Stopped]
= C:\WINDOWS\system32\drivers\avg7rsw.sys (GRISOFT, s.r.o.)

(Avg7RsXP) AVG7 Resident Driver XP [Kernel | System | Stopped]
= C:\WINDOWS\system32\drivers\avg7rsxp.sys (GRISOFT, s.r.o.)

(AvgClean) AVG7 Clean Driver [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\avgclean.sys (GRISOFT, s.r.o.)

(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped]
= (File not found)

(Changer) Changer [Kernel | System | Stopped]
= (File not found)

(CmdIde) CmdIde [Kernel | Disabled | Stopped]
= (File not found)

(CnxEtP) Trust MD3100 USB ADSL MODEM LAN Adapter Filter Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\CnxEtP.sys (Conexant)

(CnxEtU) Trust MD3100 USB ADSL MODEM Loader [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\CnxEtU.sys (Conexant)

(CnxTgN) Trust MD3100 USB ADSL MODEM LAN Adapter Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\CnxTgN.sys (Conexant Systems Inc.)

(Cpqarray) Cpqarray [Kernel | Disabled | Stopped]
= (File not found)

(dac960nt) dac960nt [Kernel | Disabled | Stopped]
= (File not found)

(dmboot) dmboot [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmboot.sys (Microsoft Corp., Veritas Software)

(dmio) Driver Gestione dischi logici [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dmio.sys (Microsoft Corp., Veritas Software)

(dmload) dmload [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dmload.sys (Microsoft Corp., Veritas Software.)

(dpti2o) dpti2o [Kernel | Disabled | Stopped]
= (File not found)

(E1000) Intel(R) PRO/1000 Network Connection Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\e1000325.sys (Intel Corporation)

(gmer) gmer [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\gmer.sys (GMER)

(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows (R) Server 2003 DDK provider)

(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows (R) Server 2003 DDK provider)

(hpn) hpn [Kernel | Disabled | Stopped]
= (File not found)

(i2omgmt) i2omgmt [Kernel | System | Stopped]
= (File not found)

(i2omp) i2omp [Kernel | Disabled | Stopped]
= (File not found)

(ini910u) ini910u [Kernel | Disabled | Stopped]
= (File not found)

(kbfilter) Keyboard Filter Driver [Kernel | System | Running]
= C:\WINDOWS\System32\drivers\kbfilter.sys (WayTech Development, Inc.)

(lbrtfdc) lbrtfdc [Kernel | System | Stopped]
= (File not found)

(MagicTune) MagicTune [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\MTiCtwl.sys ()

(moufiltr) Mouse Filter Driver [Kernel | System | Running]
= C:\WINDOWS\System32\drivers\moufiltr.sys (Windows (R) 2000 DDK provider)

(mraid35x) mraid35x [Kernel | Disabled | Stopped]
= (File not found)

(PCIDump) PCIDump [Kernel | System | Stopped]
= (File not found)

(Pcouffin) Low level access layer for CD devices [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\Pcouffin.sys (VSO Software)

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped]
= (File not found)

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(PDRELI) PDRELI [Kernel | On_Demand | Stopped]
= (File not found)

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(perc2) perc2 [Kernel | Disabled | Stopped]
= (File not found)

(perc2hib) perc2hib [Kernel | Disabled | Stopped]
= (File not found)

(Ptilink) Driver Direct Parallel Link [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

(PxHelp20) PxHelp20 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\pxhelp20.sys (Sonic Solutions)

(ql1080) ql1080 [Kernel | Disabled | Stopped]
= (File not found)

(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped]
= (File not found)

(ql12160) ql12160 [Kernel | Disabled | Stopped]
= (File not found)

(ql1240) ql1240 [Kernel | Disabled | Stopped]
= (File not found)

(ql1280) ql1280 [Kernel | Disabled | Stopped]
= (File not found)

(Secdrv) Secdrv [Kernel | Auto | Stopped]
= C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

(SenFiltService) SenFilt Service [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)

(Simbad) Simbad [Kernel | Disabled | Stopped]
= (File not found)

(Sparrow) Sparrow [Kernel | Disabled | Stopped]
= (File not found)

(symc810) symc810 [Kernel | Disabled | Stopped]
= (File not found)

(symc8xx) symc8xx [Kernel | Disabled | Stopped]
= (File not found)

(sym_hi) sym_hi [Kernel | Disabled | Stopped]
= (File not found)

(sym_u3) sym_u3 [Kernel | Disabled | Stopped]
= (File not found)

(TosIde) TosIde [Kernel | Disabled | Stopped]
= (File not found)

(ultra) ultra [Kernel | Disabled | Stopped]
= (File not found)

(ViaIde) ViaIde [Kernel | Disabled | Stopped]
= (File not found)

(VIRAGTLT) VIRAGTLT [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\VIRAGTLT.SYS (TG Soft S.a.s.)

(WDICA) WDICA [Kernel | On_Demand | Stopped]
= (File not found)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIPTA = C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
AVG7_CC = C:\Programmi\Grisoft\AVG Free\avgcc.exe (GRISOFT, s.r.o.)
CnxDslTaskBar = C:\Programmi\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe (Conexant Systems Inc.)
High Definition Audio Property Page Shortcut = C:\WINDOWS\system32\HdAShCut.exe (Windows (R) Server 2003 DDK provider)
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
PRONoMgrWired = C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe (Intel(R) Corporation)
SoundMAX = C:\Programmi\Analog Devices\SoundMAX\SMax4.exe (Analog Devices, Inc.)
SoundMAXPnP = C:\Programmi\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
SunJavaUpdateSched = C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe (Sun Microsystems, Inc.)
TkBellExe = C:\Programmi\File comuni\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
VIRIT LITE MONITOR = C:\VEXPLITE\MONLITE.EXE (TG Soft S.a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Reader Speed Launch.lnk
= C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Attiva il Desktop senza fili Labtec.lnk
= C:\Programmi\Desktop senza fili Labtech\MagicKey.exe ()

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Color Calibration.lnk
= C:\Programmi\SEC\MagicTune3.5_Client\GammaTray.exe ()

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\EPSON Status Monitor 3 Environment Check.lnk
= C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE (SEIKO EPSON CORPORATION)

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\MagicTune3.5.lnk
= C:\Programmi\SEC\MagicTune3.5_Client\MagicTuneTray.exe ()

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\NaturalColorLoad.lnk
= C:\Programmi\SEC\Natural Color\NaturalColorLoad.exe ()

< User Startup Folder = C:\Documents and Settings\cosimo\Menu Avvio\Programmi\Esecuzione automatica >
C:\Documents and Settings\cosimo\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

>>>>> Disabled Startup Folder Items <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Programmi\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Programmi\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Programmi\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Programmi\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> "C:\Programmi\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -> "C:\Programmi\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe C:\WINDOWS\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -> "C:\Programmi\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -> "C:\Programmi\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -> "C:\Programmi\Winamp\Winamp.exe" "%1" (Nullsoft)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Programmi\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Programmi\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
StubPath = C:\WINDOWS\system32\ieudinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =

>>>>> SafeBoot Option Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
Debugger = c:\WINDOWS\system32\dxirowis.txt ()




>>>>> Security Providers <<<<<

>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
Control_RunDLL (File not found)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
DllName = C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoCDBurning = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145
NoFolderOptions = 0
NoSaveSettings = 0

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]*

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
HomePage = 0
Accessibility = 0
CertifPers = 0
CertifSite = 0
SecChangeSettings = 0
SecAddSites = 0
FormSuggest = 0
FormSuggest Passwords = 0
Connwiz Admin Lock = 0
Settings = 0
ResetWebSettings = 0
Connection Wizard = 0

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
NoBrowserOptions = 0

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = Pagina iniziale corrente
Source = About:Home
SubscribedURL = About:Home

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 768 bytes | Modified Date: 13/09/2002 15.21.20)
127.0.0.1 localhost

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Local Page = C:\WINDOWS\system32\blank.htm
Search Bar = http://www.google.com/ie
Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
Start Page = http://www.google.it/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0
ProxyOverride = 127.0.0.1

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- AcroIEHlprObj Class ( HKLM = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
- Reg Data - Value does not exist ( HKLM = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
- Google Toolbar Helper ( HKLM = c:\programmi\Google\googletoolbar1.dll (Google Inc.) )

>>>>> Bars, Toolbars and Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google ( HKLM = c:\programmi\Google\googletoolbar1.dll (Google Inc.) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google ( HKLM = c:\programmi\Google\googletoolbar1.dll (Google Inc.) )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8192 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8194

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - Java Plug-in 1.5.0_11 ( HKLM C:\Programmi\Java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - Java Plug-in 1.5.0_11 ( HKCU C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.) )

>>>>> Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Barra delle applicazioni e menu di avvio ( HKLM = Reg Data - Key not found (File not found) )
{23170F69-40C1-278A-1000-000100020000} = 7-Zip Shell Extension ( HKLM = C:\Programmi\7-Zip\7-zip.dll () )
{32020A01-506E-484D-A2A8-BE3CF17601C3} = AlcoholShellEx ( HKLM = C:\Programmi\Alcohol Soft\Alcohol 120\AXShlEx.dll (Alcohol Soft Development Team) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Estensione panoramica video del Pannello di controllo ( HKLM = deskpan.dll (File not found) )
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = Shell Extension for Malware scanning ( CLSID not found! )
{51550900-DCAC-11d4-AA0F-0080C87C465B} = WayTech MultiMouse Extension ( HKLM = C:\Programmi\Desktop senza fili Labtech\CPDll.dll () )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Estensioni shell per la compressione dei file ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = Account utente ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Menu di scelta rapida di crittografia ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = AVG7 Shell Extension Class ( HKLM = C:\Programmi\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} = AVG7 Find Extension Class ( HKLM = C:\Programmi\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )
{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f} = FTP Explorer Shell Extension ( HKLM = C:\WINDOWS\system32\ftpxext.dll (FTPx Corp.) )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = RealOne Player Context Menu Class ( HKLM = C:\Programmi\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.) )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip]
@ = {23170F69-40C1-278A-1000-000100020000} ( HKLM = C:\Programmi\7-Zip\7-zip.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@ = {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ( HKLM = C:\Programmi\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Blocco menu Start]
@ = Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip]
@ = {23170F69-40C1-278A-1000-000100020000} ( HKLM = C:\Programmi\7-Zip\7-zip.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@ = {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ( HKLM = C:\Programmi\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

>>>>> User Agent Post Platform <<<<<

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C1AE79B4-A303-4634-8E2E-4CBE4F0645C2}] ( Intel(R) PRO/1000 MT Network Connection )
DefaultGateway =
DhcpServer = 255.255.255.255
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\DownloadInformation]
CODEBASE = http://download.macromedia.com/pub/shoc ... tor/sw.cab
INF = C:\WINDOWS\Downloaded Program Files\erma.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://fpdownload.macromedia.com/get/fl ... wflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation]
CODEBASE = file:///C:/WINDOWS/Java/classes/xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

»»»»»»»»»»»»»»»»»»»» Files Created Within 30 Days »»»»»»»»»»»»»

C:\Documents and Settings\All Users\Desktop\VIRIT-LT.LNK [Ver = | Size = 568 bytes | Created Date = 13/03/2007 14.05.44 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\FTP Explorer.lnk [Ver = | Size = 1490 bytes | Created Date = 22/02/2007 19.47.08 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\Nuovo Documento di Microsoft Word (2).doc [Ver = | Size = 10752 bytes | Created Date = 27/02/2007 23.20.35 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\Nuovo Foglio di lavoro di Microsoft Excel.xls [Ver = | Size = 13824 bytes | Created Date = 14/02/2007 20.08.39 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\rosa.doc [Ver = | Size = 27136 bytes | Created Date = 22/02/2007 19.03.32 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\rosa.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\cosimo\Desktop\tecnico allievi.htm [Ver = | Size = 0 bytes | Created Date = 28/02/2007 0.37.22 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\vnlt6162.exe [Ver = | Size = 2072576 bytes | Created Date = 13/03/2007 14.02.15 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\vnlt6162.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\cosimo\Desktop\winpfind.exe [Ver = | Size = 264211 bytes | Created Date = 13/03/2007 19.53.13 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\winpfind.exe:Zone.Identifier (26 bytes)
C:\WINDOWS\game.ini [Ver = | Size = 267 bytes | Created Date = 05/03/2007 19.23.19 | Attr = ]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12086 | Size = 565311 bytes | Created Date = 13/03/2007 17.54.31 | Attr = ]
C:\WINDOWS\gmer.exe [Ver = 1, 0, 12, 12086 | Size = 573440 bytes | Created Date = 13/03/2007 17.54.31 | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Created Date = 13/03/2007 17.54.31 | Attr = ]
C:\WINDOWS\IsUninst.exe InstallShield Software Corporation [Ver = 5, 50, 137, 0 | Size = 327168 bytes | Created Date = 12/02/2007 17.15.02 | Attr = ]
C:\WINDOWS\jautoexp.dat [Ver = | Size = 6550 bytes | Created Date = 20/02/2007 13.52.36 | Attr = ]
C:\WINDOWS\System32\amcompat.tlb [Ver = | Size = 16832 bytes | Created Date = 16/02/2007 23.53.36 | Attr = ]
C:\WINDOWS\System32\ftpxext.dll FTPx Corp. [Ver = 1.00.003 | Size = 33280 bytes | Created Date = 22/02/2007 19.46.57 | Attr = ]
C:\WINDOWS\System32\java.exe Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 49248 bytes | Created Date = 22/02/2007 13.48.07 | Attr = ]
C:\WINDOWS\System32\javasup.vxd [Ver = | Size = 7315 bytes | Created Date = 20/02/2007 13.52.36 | Attr = ]
C:\WINDOWS\System32\javaw.exe Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 53346 bytes | Created Date = 22/02/2007 13.48.07 | Attr = ]
C:\WINDOWS\System32\javaws.exe Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 127078 bytes | Created Date = 22/02/2007 13.48.08 | Attr = ]
C:\WINDOWS\System32\nscompat.tlb [Ver = | Size = 23392 bytes | Created Date = 16/02/2007 23.53.36 | Attr = ]
C:\WINDOWS\System32\stci.dll [Ver = | Size = 5607 bytes | Created Date = 23/02/2007 19.18.12 | Attr = ]
C:\WINDOWS\System32\zonedoff.reg [Ver = | Size = 113 bytes | Created Date = 20/02/2007 13.52.28 | Attr = ]
C:\WINDOWS\System32\zonedon.reg [Ver = | Size = 113 bytes | Created Date = 20/02/2007 13.52.28 | Attr = ]
C:\WINDOWS\System32\drivers\alcacr.sys THOMSON [Ver = 300.7.0.2 | Size = 3968 bytes | Created Date = 23/02/2007 19.18.12 | Attr = ]
C:\WINDOWS\System32\drivers\alcan5wn.sys THOMSON [Ver = 300.7.0.2 | Size = 53600 bytes | Created Date = 23/02/2007 19.18.12 | Attr = ]
C:\WINDOWS\System32\drivers\alcaudsl.sys THOMSON [Ver = 300.7.0.2 | Size = 70624 bytes | Created Date = 23/02/2007 19.18.12 | Attr = ]
C:\WINDOWS\System32\drivers\alcawh.sys THOMSON [Ver = 300.7.0.2 | Size = 5280 bytes | Created Date = 23/02/2007 19.18.12 | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3816 | Size = 68993 bytes | Created Date = 13/03/2007 17.54.31 | Attr = ]
C:\WINDOWS\System32\drivers\VIRAGTLT.SYS TG Soft S.a.s. [Ver = 1.4.00 | Size = 35328 bytes | Created Date = 13/03/2007 14.05.49 | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files Modified Within 30 Days »»»»»»»»»»»»»

C:\Documents and Settings\cosimo\Impostazioni locali\Dati applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [Ver = | Size = 35328 bytes | Modified Date = 05/03/2007 19.10.44 | Attr = ]
C:\Documents and Settings\cosimo\Impostazioni locali\Dati applicazioni\IconCache.db [Ver = | Size = 4315614 bytes | Modified Date = 13/03/2007 15.22.22 | Attr = H ]
C:\Documents and Settings\All Users\Desktop\Trust Control Panel.lnk [Ver = | Size = 284 bytes | Modified Date = 13/03/2007 15.23.30 | Attr = ]
C:\Documents and Settings\All Users\Desktop\Trust MD3100 USB ADSL MODEM.lnk [Ver = | Size = 724 bytes | Modified Date = 13/03/2007 15.23.34 | Attr = ]
C:\Documents and Settings\All Users\Desktop\VIRIT-LT.LNK [Ver = | Size = 568 bytes | Modified Date = 13/03/2007 14.05.46 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\FTP Explorer.lnk [Ver = | Size = 1490 bytes | Modified Date = 22/02/2007 19.47.10 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\Nuovo Documento di Microsoft Word (2).doc [Ver = | Size = 10752 bytes | Modified Date = 27/02/2007 23.20.36 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\Nuovo Foglio di lavoro di Microsoft Excel.xls [Ver = | Size = 13824 bytes | Modified Date = 14/02/2007 20.08.40 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\rosa.doc [Ver = | Size = 27136 bytes | Modified Date = 22/02/2007 22.31.52 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\rosa.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\cosimo\Desktop\tecnico allievi.htm [Ver = | Size = 0 bytes | Modified Date = 28/02/2007 0.37.24 | Attr = ]
C:\Documents and Settings\cosimo\Desktop\vnlt6162.exe [Ver = | Size = 2072576 bytes | Modified Date = 13/03/2007 14.02.28 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\vnlt6162.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\cosimo\Desktop\winpfind.exe [Ver = | Size = 264211 bytes | Modified Date = 13/03/2007 19.53.20 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\winpfind.exe:Zone.Identifier (26 bytes)
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 13/03/2007 19.56.06 | Attr = S]
C:\WINDOWS\game.ini [Ver = | Size = 267 bytes | Modified Date = 05/03/2007 19.23.20 | Attr = ]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12086 | Size = 565311 bytes | Modified Date = 13/03/2007 17.54.32 | Attr = ]
C:\WINDOWS\gmer.exe [Ver = 1, 0, 12, 12086 | Size = 573440 bytes | Modified Date = 13/03/2007 15.46.06 | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Modified Date = 13/03/2007 17.54.32 | Attr = ]
C:\WINDOWS\imsins.BAK [Ver = | Size = 1374 bytes | Modified Date = 17/02/2007 0.01.40 | Attr = ]
C:\WINDOWS\NeroDigital.ini [Ver = | Size = 116 bytes | Modified Date = 28/02/2007 17.21.18 | Attr = ]
C:\WINDOWS\win.ini [Ver = | Size = 661 bytes | Modified Date = 13/03/2007 14.48.02 | Attr = ]
C:\WINDOWS\WMSysPr9.prx [Ver = | Size = 316640 bytes | Modified Date = 16/02/2007 23.57.24 | Attr = ]
C:\WINDOWS\System32\amcompat.tlb [Ver = | Size = 16832 bytes | Modified Date = 17/02/2007 0.10.16 | Attr = ]
C:\WINDOWS\System32\nscompat.tlb [Ver = | Size = 23392 bytes | Modified Date = 17/02/2007 0.10.16 | Attr = ]
C:\WINDOWS\System32\perfc009.dat [Ver = | Size = 40128 bytes | Modified Date = 23/02/2007 19.28.06 | Attr = ]
C:\WINDOWS\System32\perfc010.dat [Ver = | Size = 47814 bytes | Modified Date = 23/02/2007 19.28.06 | Attr = ]
C:\WINDOWS\System32\perfh009.dat [Ver = | Size = 311740 bytes | Modified Date = 23/02/2007 19.28.06 | Attr = ]
C:\WINDOWS\System32\perfh010.dat [Ver = | Size = 345382 bytes | Modified Date = 23/02/2007 19.28.06 | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 751592 bytes | Modified Date = 23/02/2007 19.28.06 | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2228 bytes | Modified Date = 10/03/2007 22.49.14 | Attr = ]
C:\WINDOWS\System32\drivers\avg7core.sys GRISOFT, s.r.o. [Ver = 7.5.0.444 | Size = 775680 bytes | Modified Date = 25/02/2007 14.10.50 | Attr = ]
C:\WINDOWS\System32\drivers\avg7rsxp.sys GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 25/02/2007 14.10.52 | Attr = ]
C:\WINDOWS\System32\drivers\avgmfx86.sys GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 19392 bytes | Modified Date = 25/02/2007 14.10.50 | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3816 | Size = 68993 bytes | Modified Date = 13/03/2007 17.54.32 | Attr = ]
C:\WINDOWS\System32\drivers\secdrv.sys Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.00.060 | Size = 163644 bytes | Modified Date = 05/03/2007 19.23.52 | Attr = ]
C:\WINDOWS\System32\drivers\VIRAGTLT.SYS TG Soft S.a.s. [Ver = 1.4.00 | Size = 35328 bytes | Modified Date = 06/03/2007 18.46.32 | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
@Alternate Data Stream - C:\Documents and Settings\cosimo\Documenti\invoice_23424632269.pdf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\cosimo\Documenti\invoice_23428130963.pdf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\cosimo\Documenti\SVGView.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\rosa.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\vnlt6162.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\cosimo\Desktop\winpfind.exe:Zone.Identifier (26 bytes)
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[PEC2 , PECompact2 , ]C:\WINDOWS\System32\DivX.dll (DivXNetworks)
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()
[UPX0 , WSUD , ]C:\WINDOWS\System32\dllcache\hwxjpn.dll ()
[aspack , FSG! , PEC2 , UPX! , ]C:\WINDOWS\System32\drivers\avg7core.sys (GRISOFT, s.r.o.)

< End of report >
Avatar utente
eternauta
Neo Iscritto
Neo Iscritto
 
Messaggi: 16
Iscritto il: lun feb 05, 2007 7:13 pm

Messaggioda Asenath83 » mer mar 14, 2007 1:25 pm

ho il medesimo problema, avevo seguito le istruzioni indicate in un altro topic, ma per sbaglio ho cancellato la voce userinit . l'ho ricostruita prima di riavviare quindi nessun problema, ma ora mi è difficile individuare l'applicazione infetta.
ho fatto un log con x-ray , sapreste indicarmi eventuali processi sospetti?
grazie mille:
Logfile of X-RayPc Build 39029 (Installed 1173797541)
Scan saved at 14/03/2007 12.18.33

Registry Settings:
IE Start Page (User) : http://www.google.it/
IE Start Page (Global) : http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IE Blank Page : C:\WINDOWS\system32\blank.htm
IE Default Page : http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IE Search Page (User) : http://www.google.com
IE Search Page (Global) : http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE Default Search : http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
HOSTS Directory : %SystemRoot%\System32\drivers\etc

C:\WINDOWS\system32\services.exe (108544 e77f6fa2a15390f1727f4c1c55b69da6)
C:\WINDOWS\system32\lsass.exe (13312 0815e8da286775fa432c7c9ee5e10ba1)
C:\WINDOWS\system32\Ati2evxx.exe (364544 6bdb117f5cf40fe91ff50e1bb3f28184)
C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
c:\windows\system32\winlogon.exe (504832 4166454e2bcfcc20d1b8a5ac9feab243)
C:\WINDOWS\system32\cisvc.exe (5632 c4e84243292e37ca3b6faf4a1855b8a7)
C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
C:\WINDOWS\system32\Ati2evxx.exe (364544 6bdb117f5cf40fe91ff50e1bb3f28184)
C:\WINDOWS\Explorer.EXE (1034752 178d42bd8fc34a9837417a6ce1d6bb7b)
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (37303 fb25816a1963c6a0c34d5b8226650a93)
C:\Programmi\Messenger\msmsgs.exe (1694208 74e6e96c6f0e2eca4edbb7f7a468f259)
C:\Programmi\MSN Messenger\MsnMsgr.Exe (5674352 f4d7fd84cc8dbfe2256e402ee55df74c)
C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
C:\WINDOWS\system32\wscntfy.exe (13824 a49c11376727f7adc7e206e4c89b24e1)
C:\WINDOWS\system32\cidaemon.exe (8192 c51532501e042bc1948ae3735c04c919)
C:\WINDOWS\system32\spoolsv.exe (57856 da81ec57acd4cdc3d4c51cf3d409af9f)
C:\Programmi\Internet Explorer\iexplore.exe (93184 c49ed6e4358ffaecfe70fc8f3c67d224)
C:\Documents and Settings\Proprietario\Documenti\x-raypc.exe (348928 df5ba440e4384adcd1a0bf653da84387)

Service: Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe (364544 6bdb117f5cf40fe91ff50e1bb3f28184)
Service: AudioSrv C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: CiSvc C:\WINDOWS\system32\cisvc.exe (5632 c4e84243292e37ca3b6faf4a1855b8a7)
Service: CryptSvc C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: DcomLaunch C:\WINDOWS\system32\svchost -k DcomLaunch
Service: Dhcp C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: Dnscache C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: ERSvc C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: Eventlog C:\WINDOWS\system32\services.exe (108544 e77f6fa2a15390f1727f4c1c55b69da6)
Service: EventSystem C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: helpsvc C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: HTTPFilter C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: Irmon C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: lanmanserver C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: lanmanworkstation C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: LmHosts C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: Netman C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: Nla C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: PlugPlay C:\WINDOWS\system32\services.exe (108544 e77f6fa2a15390f1727f4c1c55b69da6)
Service: PolicyAgent C:\WINDOWS\system32\lsass.exe (13312 0815e8da286775fa432c7c9ee5e10ba1)
Service: ProtectedStorage C:\WINDOWS\system32\lsass.exe (13312 0815e8da286775fa432c7c9ee5e10ba1)
Service: RasMan C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: RpcSs C:\WINDOWS\system32\svchost -k rpcss
Service: SamSs C:\WINDOWS\system32\lsass.exe (13312 0815e8da286775fa432c7c9ee5e10ba1)
Service: Schedule C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: seclogon C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: SENS C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: ShellHWDetection C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: Spooler C:\WINDOWS\system32\spoolsv.exe (57856 da81ec57acd4cdc3d4c51cf3d409af9f)
Service: SSDPSRV C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: stisvc C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: TapiSrv C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: TermService C:\WINDOWS\System32\svchost -k DComLaunch
Service: Themes C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: TrkWks C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: W32Time C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: WebClient C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: winmgmt C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: wscsvc C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: wuauserv C:\WINDOWS\system32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)
Service: WZCSVC C:\WINDOWS\System32\svchost.exe (14336 73955b04f209d8a1c633867841267a96)

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (63128 f17b2b264072b921fc66a0be16626bab)
O2 - BHO: (no name) - {7e853d72-626a-48ec-a868-ba8d5e23e045} -
O2 - BHO: (Google Toolbar Helper) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmi\google\googletoolbar3.dll (2423872 f0b634b957e774e90edf0f90d0039303)

O3 - Toolbar: &Google {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\googletoolbar3.dll (2423872 f0b634b957e774e90edf0f90d0039303)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (37303 fb25816a1963c6a0c34d5b8226650a93)
O4 - HKCU\..\Run: [MSMSGS] C:\Programmi\Messenger\msmsgs.exe (1694208 74e6e96c6f0e2eca4edbb7f7a468f259)
O4 - HKCU\..\Run: [MsnMsgr] C:\Programmi\MSN Messenger\MsnMsgr.Exe (5674352 f4d7fd84cc8dbfe2256e402ee55df74c)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [PostBootReminder] C:\WINDOWS\system32\SHELL32.dll (8479744 98def9ae2c9f8fc7fecf9d0de23f2c90)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [CDBurn] C:\WINDOWS\system32\SHELL32.dll (8479744 98def9ae2c9f8fc7fecf9d0de23f2c90)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [WebCheck] C:\WINDOWS\system32\webcheck.dll (280576 9adae07a13e295a98f5ee7726354c28f)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [SysTray] C:\WINDOWS\system32\stobject.dll (122368 6474c3d1c136c60291b8a5ee9ed1735b)
O4 - HKLM\..\Run: [1] C:\WINDOWS\winsys.exe

O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll (77824 6c7b4daf6190083d8771e1262fd9ffd2)

O16 - DPF: {17492023-c23a-453e-a040-c7c580bbf700} (Windows Genuine Advantage Validation Tool)- http://go.microsoft.com/fwlink/?linkid=39204 - C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf (367 df2c9e0eac10a1184db4c73dca6fd1c7)
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Plug-in 1.5.0_03)- http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab - C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_03.inf (752 ea690a18fdaff99c075e140de2d8b0c7)
O16 - DPF: {9d190ae6-c81e-4039-8061-978ebad10073} (F-Secure Online Scanner 3.0)- http://support.f-secure.com/ols/fscax.cab - C:\WINDOWS\Downloaded Program Files\fscax.inf (483 089168c87de3f4f1e922b5aa97dcdbcb)
O16 - DPF: {bdee1959-ab6b-4745-a29b-f492861102cc} (CamRegCleanControl Object)- http://www.amustsoft.com/onlineregistry ... leaner.cab - C:\WINDOWS\Downloaded Program Files\onlineRegCleaner.inf (841 dbae829be10edf10f6b1c30a5747a417)
O16 - DPF: {cafeefac-0015-0000-0003-abcdeffedcba} (Java Plug-in 1.5.0_03)- http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab - C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll (69746 13fca03ebca6e1f8c6481166c516d1fe)
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object)- http://download.macromedia.com/pub/shoc ... wflash.cab - C:\WINDOWS\Downloaded Program Files\swflash.inf (5032 b0573f6f5a02e745d4e4183a1ab5757b)

020 - HKLM\..\Notify: [AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll (46080 900fe173c6c92f26053df6e9403ef3f1)
020 - HKLM\..\Notify: [crypt32chain] C:\WINDOWS\system32\crypt32.dll (601600 5588d8afd51d060f82315c50d7590323)
020 - HKLM\..\Notify: [cryptnet] C:\WINDOWS\system32\cryptnet.dll (63488 f8dd2e38ecc275ae94edc7c0492416ef)
020 - HKLM\..\Notify: [cscdll] C:\WINDOWS\system32\cscdll.dll (102400 38c69b2bc3182a85f0b323c9d1eb7e26)
020 - HKLM\..\Notify: [ScCertProp] C:\WINDOWS\system32\wlnotify.dll (93184 72e4cad810a967449caab723e99c74b1)
020 - HKLM\..\Notify: [Schedule] C:\WINDOWS\system32\wlnotify.dll (93184 72e4cad810a967449caab723e99c74b1)
020 - HKLM\..\Notify: [sclgntfy] C:\WINDOWS\system32\sclgntfy.dll (21504 5ff2551a3d740476f06b20f59cd7f0be)
020 - HKLM\..\Notify: [SensLogn] C:\WINDOWS\system32\WlNotify.dll (93184 72e4cad810a967449caab723e99c74b1)
020 - HKLM\..\Notify: [termsrv] C:\WINDOWS\system32\wlnotify.dll (93184 72e4cad810a967449caab723e99c74b1)
020 - HKLM\..\Notify: [wlballoon] C:\WINDOWS\system32\wlnotify.dll (93184 72e4cad810a967449caab723e99c74b1)

anche io ho fatto uno scan con winpfind:
WinPFind logfile created on: 14/03/2007 12.38.07
WinPFind by OldTimer - v2.0.2 Folder = C:\Documents and Settings\Proprietario\Documenti\winpfind\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

1046688 Kb Total Physical Memory | 867040 Kb Available Physical Memory | 82,84% Memory free
1240528 Kb Paging File | 1184856 Kb Available in Paging File | 95,51% Paging File free
Paging file location: C:\pagefile.sys 288 576

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmi
Drive C: | 47348032 Kb Total Space | 10014976 Kb Free Space | 21,15% Space Free
Drive D: | 47749536 Kb Total Space | 18627360 Kb Free Space | 39,01% Space Free
E: Drive not present or media not loaded
Drive F: | 470744 Kb Total Space | 0 Kb Free Space | 0,00% Space Free

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Documents and Settings\Proprietario\Documenti\winpfind\WinPFind\WinPFind.exe (OldTimer Tools)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(Adobe LM Service) Adobe LM Service [Win32_Own | Disabled | Stopped]
= C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe ()

(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Disabled | Stopped]
= C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe ()

(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Stopped]
= C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)

(avast! Antivirus) avast! Antivirus [Win32_Own | Disabled | Stopped]
= C:\Programmi\Alwil Software\Avast4\ashServ.exe ()

(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | Disabled | Stopped]
= C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

(avast! Web Scanner) avast! Web Scanner [Win32_Own | Disabled | Stopped]
= C:\Programmi\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

(Dhuhi60nwahi) Dhuhi60nwahi [Win32_Own | Disabled | Stopped]
= (File not found)

(dmadmin) Servizio amministrativo di Gestione disco logico [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped]
= C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)

(MsaSvc) Microsoft authenticate service [Win32_Own | Disabled | Stopped]
= C:\WINDOWS\system32\msasvc.exe (File not found)

(wltrysvc) Broadcom Wireless LAN Tray Service [Win32_Own | Disabled | Stopped]
= C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (File not found)

»»»»»»»»»»»»»»»»»»»» Driver Services (Non-Microsoft) »»»»»»»»»»

(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Stopped]
= C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped]
= (File not found)

(AegisP) AEGIS Protocol (IEEE 802.1x) v3.2.0.3 [Kernel | Auto | Stopped]
= system32\DRIVERS\AegisP.sys (File not found)

(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

(AliIde) AliIde [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\aliide.sys (Acer Laboratories Inc.)

(amdagp) Driver filtro bus AMD AGP [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\AMDAGP.SYS (Advanced Micro Devices, Inc.)

(AR5211) Atheros Wireless Network Adapter Service [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)

(asc) asc [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\asc.sys (Advanced System Products, Inc.)

(asc3550) asc3550 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\asc3550.sys (Advanced System Products, Inc.)

(aswMon2) avast! Standard Shield Support [File_System | Auto | Stopped]
= C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)

(aswRdr) aswRdr [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)

(aswTdi) avast! Network Shield Support [Kernel | System | Stopped]
= C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)

(Atdisk) Atdisk [Kernel | Disabled | Stopped]
= (File not found)

(ati2mtag) ati2mtag [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

(BCM43XX) Driver per l’adattatore di rete Broadcom 802.11 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)

(Changer) Changer [Kernel | System | Stopped]
= (File not found)

(CmdIde) CmdIde [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\cmdide.sys (CMD Technology, Inc.)

(dac2w2k) dac2w2k [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dac2w2k.sys (Mylex Corporation)

(dmboot) dmboot [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmboot.sys (Microsoft Corp., Veritas Software)

(dmio) dmio [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmio.sys (Microsoft Corp., Veritas Software)

(dmload) dmload [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmload.sys (Microsoft Corp., Veritas Software.)

(FETNDIS) Driver NT scheda Fast Ethernet VIA PCI 10/100Mb [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\fetnd5.sys (VIA Technologies, Inc. )

(Hotkey) Hotkey [Kernel | System | Stopped]
= C:\WINDOWS\System32\drivers\HOTKEY.sys ()

(HSFHWATI) HSFHWATI [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\HSFHWATI.sys (Conexant Systems, Inc.)

(HSF_DP) HSF_DP [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)

(lbrtfdc) lbrtfdc [Kernel | System | Stopped]
= (File not found)

(mailKmd) mailKmd [Kernel | System | Stopped]
= (File not found)

(mdmxsdk) mdmxsdk [Kernel | Auto | Stopped]
= C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)

(mraid35x) mraid35x [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\mraid35x.sys (American Megatrends Inc.)

(NSCIRDA) Driver periferica infrarossi NSC [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\nscirda.sys (National Semiconductor Corporation)

(NTIDrvr) Upper Class Filter Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)

(P0630VID) Creative WebCam Live! [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\P0630Vid.sys (Creative Technology Ltd.)

(PCIDump) PCIDump [Kernel | System | Stopped]
= (File not found)

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped]
= (File not found)

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(PDRELI) PDRELI [Kernel | On_Demand | Stopped]
= (File not found)

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(POWERKEY) POWERKEY [Kernel | On_Demand | Stopped]
= C:\Program Files\Launch Manager\POWERKEY.sys (File not found)

(Ptilink) Driver Direct Parallel Link [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

(PxHelp20) PxHelp20 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\PxHelp20.sys (Sonic Solutions)

(ql1080) ql1080 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\ql1080.sys (QLogic Corporation)

(ql12160) ql12160 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\ql12160.sys (QLogic Corporation)

(ql1280) ql1280 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\ql1280.sys (QLogic Corporation)

(RTL8023xp) Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )

(rtl8139) Driver NT scheda Fast Ethernet PCI Realtek basata su RTL8139 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)

(Secdrv) Secdrv [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

(Simbad) Simbad [Kernel | Disabled | Stopped]
= (File not found)

(sisagp) Filtro bus SIS AGP [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\SISAGP.SYS (Silicon Integrated Systems Corporation)

(Sparrow) Sparrow [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\sparrow.sys (Adaptec, Inc.)

(sptd) sptd [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\sptd.sys ()

(symc810) symc810 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\symc810.sys (Symbios Logic Inc.)

(symc8xx) symc8xx [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\symc8xx.sys (LSI Logic)

(sym_hi) sym_hi [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\sym_hi.sys (LSI Logic)

(sym_u3) sym_u3 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\sym_u3.sys (LSI Logic)

(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)

(tifm21) tifm21 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)

(tmcomm) tmcomm [Kernel | Auto | Stopped]
= C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)

(UBHelper) UBHelper [Kernel | System | Running]
= C:\WINDOWS\System32\drivers\UBHelper.sys ()

(ultra) ultra [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\ultra.sys (Promise Technology, Inc.)

(Wbutton) Wbutton [Kernel | System | Stopped]
= C:\WINDOWS\system32\drivers\Wbutton.sys (File not found)

(WDICA) WDICA [Kernel | On_Demand | Stopped]
= (File not found)

(winachsf) winachsf [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avast! = C:\Programmi\Alwil Software\Avast4\ashDisp.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


< Common Startup Folder = C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk
= C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()

< User Startup Folder = C:\Documents and Settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica >
C:\Documents and Settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
wltrysvc = 2
cmdService = 2
MsaSvc = 2
Atimlaxnq = 3
avast! Web Scanner = 3
avast! Mail Scanner = 3
avast! Antivirus = 2
aswUpdSv = 2
Adobe LM Service = 3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma Loader.lnk]
path = C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk ()
backup = C:\WINDOWS\pss\Adobe Gamma Loader.lnk (File not found)
location = Common Startup
command = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
item = C:\Documents and Settings\Proprietario\Desktop\adobe (File not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]
path = C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk (File not found)
backup = C:\WINDOWS\pss\Avvio veloce di Adobe Reader.lnk (File not found)
location = Common Startup
command = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
item = Avvio veloce di Adobe Reader

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!AVG Anti-Spyware]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = avgas
hkey = HKLM
command = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTFMON.EXE]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeluxeCommunications]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = Dxc
hkey = HKLM
command = C:\Programmi\DeluxeCommunications\Dxc.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lexmark_X79-55]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\lsasss.exe ()
hkey = HKLM
command = C:\WINDOWS\system32\lsasss.exe ()
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = msmsgs
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = msnmsgr
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
hkey = HKLM
command = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = NEWDOT~2
hkey = HKLM
command = C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = qttask
hkey = HKLM
command = C:\Programmi\QuickTime\qttask.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SoundMan]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
hkey = HKLM
command = C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = jusched
hkey = HKLM
command = C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = GoogleToolbarNotifier
hkey = HKCU
command = C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = evntsvc
hkey = HKLM
command = C:\Programmi\File comuni\Real\Update_OB\evntsvc.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
system.ini = 0
win.ini = 0
bootini = 0
services = 2
startup = 2

>>>>> Disabled Startup Folder Items <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = FirefoxHTML] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> Reg Data - Key not found
htmlfile [open] -> "C:\Programmi\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Programmi\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" (Mozilla Corporation)

https [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" (Mozilla Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Programmi\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Programmi\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =

>>>>> SafeBoot Option Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]
(File not found)




>>>>> Security Providers <<<<<

>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
Control_RunDLL (File not found)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
DllName = C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
1 = C:\WINDOWS\winsys.exe (File not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
DisableRegistryTools = 0

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName =
Source = C:\Programmi\Messenger\qufyb.html
SubscribedURL =

FriendlyName =
Source = C:\Programmi\Windows NT\nicoxin.html
SubscribedURL =

FriendlyName = Pagina iniziale corrente
Source = About:Home
SubscribedURL = About:Home

FriendlyName =
Source = http://www.forumcommunity.net/?c=2414
SubscribedURL = http://www.forumcommunity.net/?c=2414

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 768 bytes | Modified Date: 19/08/2004 20.00.00)
127.0.0.1 localhost

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
Default_Search_URL = http://www.google.com/ie
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_URL = http://www.google.com/ie
SearchAssistant = http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Local Page = C:\WINDOWS\system32\blank.htm
Search Bar = http://www.google.com/ie
Search Page = http://www.google.com
Start Page = http://www.google.it/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
SearchAssistant = http://www.google.com/ie


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- Adobe PDF Reader Link Helper ( HKLM = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
- Google Toolbar Helper ( HKLM = c:\programmi\Google\googletoolbar3.dll (Google Inc.) )

>>>>> Bars, Toolbars and Extensions <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google ( HKLM = c:\programmi\Google\googletoolbar3.dll (Google Inc.) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google ( HKLM = c:\programmi\Google\googletoolbar3.dll (Google Inc.) )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8193 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8192 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8194

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - Java Plug-in 1.5.0_03 ( HKLM C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.pdf]
Location = C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll (Adobe Systems Inc.)

>>>>> Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Barra delle applicazioni e menu di avvio ( HKLM = Reg Data - Key not found (File not found) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Estensione panoramica video del Pannello di controllo ( HKLM = deskpan.dll (File not found) )
{472083B0-C522-11CF-8763-00608CC02F24} = avast ( HKLM = C:\Programmi\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Estensioni shell per la compressione dei file ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = Account utente ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Menu di scelta rapida di crittografia ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\avast]
@ = {472083B0-C522-11CF-8763-00608CC02F24} ( HKLM = C:\Programmi\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\MagicISO]
@ = {DB85C504-C730-49DD-BEC1-7B39C6103B7A} ( HKLM = C:\Programmi\MagicISO\misosh.dll (MagicISO, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\MagicISO]
@ = {DB85C504-C730-49DD-BEC1-7B39C6103B7A} ( HKLM = C:\Programmi\MagicISO\misosh.dll (MagicISO, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\avast]
@ = {472083B0-C522-11CF-8763-00608CC02F24} ( HKLM = C:\Programmi\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\MagicISO]
@ = {DB85C504-C730-49DD-BEC1-7B39C6103B7A} ( HKLM = C:\Programmi\MagicISO\misosh.dll (MagicISO, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Programmi\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{244CE1E3-10DE-40B1-B65E-283C8F1D9D00}]
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{51603F0B-8EBE-4050-BF26-B8A78FBB4667}]
DefaultGateway =
Domain =
EnableDHCP = 0
IPAddress = 192.168.1.1;
NameServer =
SubnetMask = 255.255.255.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5630C818-3A5E-4FE4-AD0D-F9D7F451EAC7}] ( 1394 Net Adapter )
DefaultGateway =
Domain =
EnableDHCP = 0
IPAddress = 192.168.1.3;
NameServer =
SubnetMask = 255.255.255.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9FB533D5-DDE6-4753-8F7D-3296B108FB9F}]
DefaultGateway =
DhcpDefaultGateway = 192.168.0.1;
DhcpIPAddress = 192.168.0.92
DhcpNameServer = 192.168.0.1
DhcpServer = 192.168.0.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C744D1E5-17CE-4948-8F56-15BD98FA82F8}]
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation]
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
INF = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF = C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_03.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9D190AE6-C81E-4039-8061-978EBAD10073}\DownloadInformation]
CODEBASE = http://support.f-secure.com/ols/fscax.cab
INF = C:\WINDOWS\Downloaded Program Files\fscax.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BDEE1959-AB6B-4745-A29B-F492861102CC}\DownloadInformation]
CODEBASE = http://www.amustsoft.com/onlineregistry ... leaner.cab
INF = C:\WINDOWS\Downloaded Program Files\onlineRegCleaner.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

»»»»»»»»»»»»»»»»»»»» Files Created Within 30 Days »»»»»»»»»»»»»

C:\Documents and Settings\Proprietario\Documenti\Avast 4.6 Pro ITA + keygen + skins by Peppez.rar [Ver = | Size = 18013223 bytes | Created Date = 20/02/2007 2.21.53 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\Avast! Skins.zip [Ver = | Size = 8782838 bytes | Created Date = 21/02/2007 13.27.52 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\Avast!PRO.ITA.v4.6.exe [Ver = | Size = 9244888 bytes | Created Date = 21/02/2007 13.27.53 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\wide_screen.aswcs [Ver = | Size = 342648 bytes | Created Date = 21/02/2007 22.37.57 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\RejZor-Sharp by SZCraftec.asws [Ver = | Size = 2124923 bytes | Created Date = 21/02/2007 22.38.08 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\DSCN3015.jpg [Ver = | Size = 300866 bytes | Created Date = 10/03/2007 18.06.36 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\x-raypc.exe [Ver = 1.0.0.30 | Size = 348928 bytes | Created Date = 13/03/2007 14.52.13 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\auto.nr3 [Ver = | Size = 16649 bytes | Created Date = 12/03/2007 16.21.59 | Attr = ]
C:\WINDOWS\QTFont.qfn [Ver = | Size = 54156 bytes | Created Date = 11/03/2007 19.04.00 | Attr = H ]
C:\WINDOWS\QTFont.for [Ver = | Size = 1409 bytes | Created Date = 11/03/2007 19.04.01 | Attr = ]
C:\WINDOWS\System32\muzika.xm [Ver = | Size = 37473 bytes | Created Date = 20/02/2007 2.30.42 | Attr = ]
C:\WINDOWS\System32\lsasss.exe [Ver = | Size = 37303 bytes | Created Date = 21/02/2007 0.42.42 | Attr = ]
C:\WINDOWS\System32\AVASTSS.scr ALWIL Software [Ver = 4, 7, 936, 0 | Size = 90112 bytes | Created Date = 21/02/2007 13.28.17 | Attr = ]
C:\WINDOWS\System32\aswBoot.exe [Ver = 4, 7, 936, 0 | Size = 689280 bytes | Created Date = 21/02/2007 13.28.17 | Attr = ]
C:\WINDOWS\System32\java.exe Sun Microsystems, Inc. [Ver = 5.0.30.7 | Size = 49248 bytes | Created Date = 13/03/2007 15.05.32 | Attr = ]
C:\WINDOWS\System32\javaw.exe Sun Microsystems, Inc. [Ver = 5.0.30.7 | Size = 49250 bytes | Created Date = 13/03/2007 15.05.32 | Attr = ]
C:\WINDOWS\System32\javaws.exe Sun Microsystems, Inc. [Ver = 5.0.30.7 | Size = 127078 bytes | Created Date = 13/03/2007 15.05.32 | Attr = ]
C:\WINDOWS\System32\drivers\aavmker4.sys ALWIL Software [Ver = 4.7.892.0 | Size = 31560 bytes | Created Date = 21/02/2007 13.28.22 | Attr = ]
C:\WINDOWS\System32\drivers\aswmon.sys ALWIL Software [Ver = 4.7.892.0 | Size = 85952 bytes | Created Date = 21/02/2007 13.28.22 | Attr = ]
C:\WINDOWS\System32\drivers\aswmon2.sys ALWIL Software [Ver = 4.7.892.0 | Size = 94424 bytes | Created Date = 21/02/2007 13.28.22 | Attr = ]
C:\WINDOWS\System32\drivers\aswRdr.sys ALWIL Software [Ver = 4.7.936.0 | Size = 23352 bytes | Created Date = 21/02/2007 13.28.24 | Attr = ]
C:\WINDOWS\System32\drivers\aswTdi.sys ALWIL Software [Ver = 4.7.936.0 | Size = 43176 bytes | Created Date = 13/03/2007 12.10.50 | Attr = ]
C:\WINDOWS\System32\drivers\tmcomm.sys Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Created Date = 13/03/2007 15.57.34 | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files Modified Within 30 Days »»»»»»»»»»»»»

C:\BOOT.INI [Ver = | Size = 194 bytes | Modified Date = 14/03/2007 12.29.40 | Attr = HS]
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT [Ver = | Size = 91136 bytes | Modified Date = 27/02/2007 2.04.30 | Attr = ]
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [Ver = | Size = 23552 bytes | Modified Date = 07/03/2007 15.09.40 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\Memento.notes [Ver = | Size = 8805 bytes | Modified Date = 19/02/2007 21.11.48 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\Avast 4.6 Pro ITA + keygen + skins by Peppez.rar [Ver = | Size = 18013223 bytes | Modified Date = 20/02/2007 2.29.02 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\DSCN3015.jpg [Ver = | Size = 300866 bytes | Modified Date = 10/03/2007 18.06.44 | Attr = ]
C:\Documents and Settings\Proprietario\Documenti\auto.nr3 [Ver = | Size = 16649 bytes | Modified Date = 14/03/2007 11.36.06 | Attr = ]
C:\Documents and Settings\Proprietario\Desktop\Thumbs.db [Ver = | Size = 45568 bytes | Modified Date = 22/02/2007 18.22.44 | Attr = HS]
C:\WINDOWS\system.ini [Ver = | Size = 227 bytes | Modified Date = 14/03/2007 12.29.40 | Attr = ]
C:\WINDOWS\win.ini [Ver = | Size = 0 bytes | Modified Date = 14/03/2007 12.29.40 | Attr = ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 14/03/2007 12.34.34 | Attr = S]
C:\WINDOWS\QTFont.qfn [Ver = | Size = 54156 bytes | Modified Date = 11/03/2007 19.04.02 | Attr = H ]
C:\WINDOWS\QTFont.for [Ver = | Size = 1409 bytes | Modified Date = 11/03/2007 19.04.02 | Attr = ]
C:\WINDOWS\NeroDigital.ini [Ver = | Size = 116 bytes | Modified Date = 07/03/2007 20.31.50 | Attr = ]
C:\WINDOWS\ODBC.INI [Ver = | Size = 478 bytes | Modified Date = 21/02/2007 13.39.42 | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 1158 bytes | Modified Date = 19/02/2007 17.39.18 | Attr = ]
C:\WINDOWS\System32\FNTCACHE.DAT [Ver = | Size = 309992 bytes | Modified Date = 27/02/2007 2.03.08 | Attr = ]
C:\WINDOWS\System32\CONFIG.NT [Ver = | Size = 2934 bytes | Modified Date = 13/03/2007 12.10.50 | Attr = ]
C:\WINDOWS\System32\muzika.xm [Ver = | Size = 37473 bytes | Modified Date = 21/02/2007 22.36.08 | Attr = ]
C:\WINDOWS\System32\lsasss.exe [Ver = | Size = 37303 bytes | Modified Date = 13/03/2007 14.58.10 | Attr = ]
C:\WINDOWS\System32\drivers\tmcomm.sys Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Modified Date = 13/03/2007 15.17.44 | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
[Thawte Consulting , WSUD , ]C:\Documents and Settings\Proprietario\Documenti\v152PATCHREL.exe (Macrovision Corporation)
[PEC2 , Thawte Consulting , ]C:\Documents and Settings\Proprietario\Documenti\sp31212.exe (Hewlett-Packard Company )
[UPX! , UPX0 , ]C:\Documents and Settings\Proprietario\Documenti\Avast!PRO.ITA.v4.6.exe ()
[Thawte Consulting , ]C:\Documents and Settings\Proprietario\Documenti\x-raypc.exe ()
[aspack , ]C:\WINDOWS\Acer.scr ()
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\npkcsvc.exe (INCA Internet Co., Ltd.)
[ad-beh , qoologic , UPX! , ]C:\WINDOWS\System32\npscan.dll (INCA Internet Co., Ltd. )
[UPX! , UPX0 , ]C:\WINDOWS\System32\MACDec.dll (Matthew T. Ashland)
[Thawte Consulting , ]C:\WINDOWS\System32\XceedSco.dll (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com)
[Thawte Consulting , ]C:\WINDOWS\System32\XceedCry.dll (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com)
[FSG! , ]C:\WINDOWS\System32\svcalflk.exe ()
[WSUD , ]C:\WINDOWS\System32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
[UPX! , UPX0 , ]C:\WINDOWS\System32\lsasss.exe ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\MonkeySource.ax ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\aswBoot.exe ()

< End of report >
Avatar utente
Asenath83
Neo Iscritto
Neo Iscritto
 
Messaggi: 7
Iscritto il: mer mar 14, 2007 1:21 pm

Messaggioda Amantide » gio mar 15, 2007 10:11 pm

@ Asenath83

Ti sei beccato tutte le schifezzuole possibili.

Per prima cosa esegui Rustbfix e salva il suo log.

Dopo scarica The Avenger, estrai archivio in una cartella ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla questo script:

Files to delete:
C:\WINDOWS\winsys.exe
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\System32\muzika.xm
C:\WINDOWS\System32\svcalflk.exe
C:\WINDOWS\System32\aswBoot.exe

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 1


Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

Poi fai la scansione con Kaspersky online e salva il suo report, ci servirà per ripristinare il funzionamento di alcuni programmi compromessi.

Dopo fai la scansione dalla modalità provvisoria con AVG Anti-spyware (ex Ewido) ed A-squared.

Alla fine metti tutti i log di Rustbfix, Kaspersky online, Avenger, AVG Antispyware ed A-squared in un file rar o zip ed allegalo qui.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda Amantide » ven mar 16, 2007 12:04 am

eternauta ha scritto:Ho fatto la scansione con le impostazioni pre-impostate e non riesco ad allegare il file perciò ti chiedo scusa ma lo inserisco in un post
se dovesse non bastare dimmello , ne ho fatta un' altra completa ma eventualmente credo dovresti spiegarmi come allegare i files (in carica un file mi dice che non puo trasferire il formato txt e neanche nel formato tst che mi ero inventato)

Devi inserire i log creati all'interno del file RAR o ZIP ed allegare poi questo file.
Nel log che hai fatto non si vede nulla.

Scarica RkUnhooker, installalo ed avvia il programma. Seleziona il tab Report e premi su Scan. Nella prossima finestra seleziona tutte le voci e premi Ok. Al termine della scansione vai su File e salva il report, mettilo all'interno di un file archivio ed allegalo qui.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda eternauta » ven mar 16, 2007 6:54 pm

RkUnhooker non funziona: da errore "failled to open debug privilege ,not critical issue" poi parte ma dopo un istante si blocca

Winpfind ora si blocca su un file che sichiama lpt1.vpv e non va più avanti ,ma ho conservato la scansione più estesa dell'altro giorno è provo a mandartela
E' veramente tremendo questo Gromozon!
Avatar utente
eternauta
Neo Iscritto
Neo Iscritto
 
Messaggi: 16
Iscritto il: lun feb 05, 2007 7:13 pm

Messaggioda Amantide » ven mar 16, 2007 7:01 pm

Mentre esamino il log prova ad eseguire questo tool http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe e postami il report che ti apparirà al riavvio.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda Asenath83 » ven mar 16, 2007 7:20 pm

Amantide ha scritto:@ Asenath83

Ti sei beccato tutte le schifezzuole possibili.

Per prima cosa esegui Rustbfix e salva il suo log.

Dopo scarica The Avenger, estrai archivio in una cartella ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla questo script:

Files to delete:
C:\WINDOWS\winsys.exe
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\System32\muzika.xm
C:\WINDOWS\System32\svcalflk.exe
C:\WINDOWS\System32\aswBoot.exe

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 1


Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

Poi fai la scansione con Kaspersky online e salva il suo report, ci servirà per ripristinare il funzionamento di alcuni programmi compromessi.

Dopo fai la scansione dalla modalità provvisoria con AVG Anti-spyware (ex Ewido) ed A-squared.

Alla fine metti tutti i log di Rustbfix, Kaspersky online, Avenger, AVG Antispyware ed A-squared in un file rar o zip ed allegalo qui.

non me lo fa scaricare (avenger)
Avatar utente
Asenath83
Neo Iscritto
Neo Iscritto
 
Messaggi: 7
Iscritto il: mer mar 14, 2007 1:21 pm

Messaggioda Amantide » ven mar 16, 2007 7:26 pm

Asenath83 ha scritto:non me lo fa scaricare (avenger)

Rustbfix invece l'hai eseguito?

Apri il task manager (Ctrl+Alt+Canc o Del) e vedi se trovi qualche processo strano con il nome simile al symantec****.exe, lexmark***.exe e termina il processo. Se becchi il file giusto dovresti poter riuscire a scaricare Avenger ed usare altri programmi.
Per sicurezza scrivimi qui i nomi dei file sospetti.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda Asenath83 » ven mar 16, 2007 7:42 pm

Amantide ha scritto:
Asenath83 ha scritto:non me lo fa scaricare (avenger)

Rustbfix invece l'hai eseguito?

Apri il task manager (Ctrl+Alt+Canc o Del) e vedi se trovi qualche processo strano con il nome simile al symantec****.exe, lexmark***.exe e termina il processo. Se becchi il file giusto dovresti poter riuscire a scaricare Avenger ed usare altri programmi.
Per sicurezza scrivimi qui i nomi dei file sospetti.

rustbfix non trova nulla
i processi sembrano tutti normali:
ciclo idle del sistema
cidaemon
cisvc
csrss
EXPLORER
iexplore
LSASS
msnmsgr
regedit
SERVICES
SMSS
spoolsv
svcalflk
SVCHOST x 7
System
taskmgr
WINLOGON
wscntfy
Avatar utente
Asenath83
Neo Iscritto
Neo Iscritto
 
Messaggi: 7
Iscritto il: mer mar 14, 2007 1:21 pm

Messaggioda Amantide » ven mar 16, 2007 7:55 pm

Asenath83 ha scritto:i processi sembrano tutti normali:

Questo tanto normale non mi sembra
svcalflk.exe

Se si scrive veramente cosi allora termina il processo, vedi se riesci a capire tramite Cerca dove si trova e carica il file su www.virustotal.com per vedere di cosa si tratta.

Riesci a fare la scansione con Kaspersky online ed allegare qui il suo report?
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda Asenath83 » ven mar 16, 2007 8:11 pm

KASPERSKY ONLINE SCANNER REPORT
Friday, March 16, 2007 6:58:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/03/2007
Kaspersky Anti-Virus database records: 266348
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\PROPRI~1\IMPOST~1\Temp\
Scan Statistics
Total number of scanned objects 14108
Number of viruses found 6
Number of infected objects 13 / 0
Number of suspicious objects 0
Duration of the scan process 00:12:47

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptddrv1.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\svcalflk.exe Object is locked skipped
C:\WINDOWS\system32\cdblejhs.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\udcznvcw.exe Infected: Email-Worm.Win32.Zhelatin.bk skipped
C:\WINDOWS\system32\ma.exe.exe Infected: Email-Worm.Win32.Zhelatin.bk skipped
C:\WINDOWS\system32\pp.exe.exe Infected: Email-Worm.Win32.Zhelatin.bk skipped
C:\WINDOWS\system32\zu.exe.exe Infected: Email-Worm.Win32.Zhelatin.bk skipped
C:\WINDOWS\system32\rsvp32_2.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\WINDOWS\system32\via.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\WINDOWS\system32\cdromdrv32.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\WINDOWS\system32\sm.exe Infected: Email-Worm.Win32.Zhelatin.bk skipped
C:\WINDOWS\system32\dd.exe Infected: Email-Worm.Win32.Zhelatin.bk skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.Win32.Renos.hg skipped
C:\WINDOWS\pp.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\WINDOWS\via.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\DOCUME~1\PROPRI~1\IMPOST~1\Temp\Perflib_Perfdata_1098.dat Object is locked skipped
Scan process completed.

----------------

.svcalflk.exe si trova in system32
e ho trovato questo SVCALFLK.EXE-208B67E4.pf in prefetch
ho inviato i file a virus total, ti faccio sapere appena finisce la coda
Avatar utente
Asenath83
Neo Iscritto
Neo Iscritto
 
Messaggi: 7
Iscritto il: mer mar 14, 2007 1:21 pm

Prossimo

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 20 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising