chiedo, cortesemente, un vostro consulto per interpretare il log effettuato con il software hijackthis e Gmer, in quanto
ho collegato un dispositivo USB "chiavetta" per trasferire dei dati sul mio notebook ( Windows XP Home Edition SP2) e ho visto che il mio antivirus Trend Micro Internet Security 2010 ha prodotto 1 notifica di 1 programma sospetto "stereolove.exe" e mi chiedeva di Consentire o Bloccare (Ho scelto l'opzione "Bloccare" però dal registro, di cui riporto alcuni dati, risulta anche l'opzione "Consenti" che io non ho selezionato).
Inoltre, non riuscivo più ad accedere al contenuto della chiavetta e non riuscivo più a rimuoverla (cliccando sull'icona vicino l'orologio)in seguito ho deciso di " tirar via" la chiavetta, a prescindere dalla procedura canonica,ed il PC si è riavviato da solo.
Mi assale il dubbio se sono stato infettato o meno! Visto che nella sezione delle "modifiche non autorizzate" dell'antivirus non trovo alcun file, né Bloccato né Consenti.
Nella Quarantena non trovo nessun file infetto
Ho rifatto una scansione completa del Sistema e l'antivirus non ha segnalato nulla, mi chiedo dove sia andato a finire il file infetto! Potrebbe essere che l'antivirus è stato messo nelle condizioni di non essere più efficace?
Quindi ho pensato di eseguire i due programmi hijackthis e Gmer, per cercare di capire se nel mio PC vi siano modifiche non autorizzate al Registro e che non ci siano minacce attive, che nessun virus si attivi ad ogni avvio del PC
Inoltre nella chiavetta noto 1 file denominato "Autorun.inf"
Ho fatto una ricerca nel PC è ho scoperto nella cartella C:\Windows\Prefetch il file STEREOLOVE.EXE-01929DF1.pf, sarà questo il file infetto?Che cosa è la Cartella di Windows\Prefetch?Si può cancellare il suo contenuto?
Dati indicati nel registro degli eventi di Trend Micro nella sezione "Prevenzione modifiche non autorizzate"
Risorsa o ID processo rilevati
ZwCreateThread
ZwWriteVirtualMemory
File interessato
G:\EDWARD\stereolove.exe
Operazioni eseguite: Termina;Chiedi; Consenti;Tipi :Evento API; Criterio violato:Caricamento di librerie di programma
Vi ringrazio
Cordiali saluti
Tommaso
[Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14.42.00, on 10/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE
C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programmi\Trend Micro\Internet Security\SfCtlCom.exe
C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Programmi\Trend Micro\Internet Security\TmPfw.exe
C:\Programmi\Trend Micro\Internet Security\TmProxy.exe
C:\Programmi\Trend Micro\BM\TMBMSRV.exe
C:\Documents and Settings\Tommy\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe" /devicetype:philips
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [\\CRISTINA\EPSON SX110 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE /FU "C:\DOCUME~1\Tommy\IMPOST~1\Temp\E_S5A.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\programmi\bonjour\mdnsnsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DECDF254-2285-42CE-A84C-DA4327A42265}: NameServer = 91.80.37.101,62.94.0.1
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Componente Central Control Trend Micro (SfCtlCom) - Trend Micro Inc. - C:\Programmi\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programmi\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Programmi\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 8758 bytes
]
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE
C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programmi\Trend Micro\Internet Security\SfCtlCom.exe
C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Programmi\Trend Micro\Internet Security\TmPfw.exe
C:\Programmi\Trend Micro\Internet Security\TmProxy.exe
C:\Programmi\Trend Micro\BM\TMBMSRV.exe
C:\Documents and Settings\Tommy\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe" /devicetype:philips
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [\\CRISTINA\EPSON SX110 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE /FU "C:\DOCUME~1\Tommy\IMPOST~1\Temp\E_S5A.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\programmi\bonjour\mdnsnsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DECDF254-2285-42CE-A84C-DA4327A42265}: NameServer = 91.80.37.101,62.94.0.1
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Componente Central Control Trend Micro (SfCtlCom) - Trend Micro Inc. - C:\Programmi\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programmi\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Programmi\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Programmi\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 8758 bytes
]
[GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-10 15:57:25
Windows 5.1.2600 Service Pack 2
Running: 42ow3gxf.exe; Driver: C:\DOCUME~1\Tommy\IMPOST~1\Temp\kxrdqpow.sys
---- System - GMER 1.0.15 ----
SSDT 8220CCE0 ZwCreateKey
SSDT 8220DE80 ZwCreateMutant
SSDT 8220C1E0 ZwCreateProcess
SSDT 8220C4A0 ZwCreateProcessEx
SSDT 8220DB40 ZwCreateThread
SSDT 8220D260 ZwDeleteKey
SSDT 8220D520 ZwDeleteValueKey
SSDT 8220DCE0 ZwLoadDriver
SSDT 8220C760 ZwOpenProcess
SSDT 8220E020 ZwSetSystemInformation
SSDT 8220CFA0 ZwSetValueKey
SSDT 8220CA20 ZwTerminateProcess
SSDT 8220D9A0 ZwWriteVirtualMemory
---- User code sections - GMER 1.0.15 ----
.text C:\Programmi\Trend Micro\Internet Security\TmPfw.exe[240] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\Internet Security\TmPfw.exe[240] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[268] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[268] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\Explorer.EXE[772] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\Explorer.EXE[772] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\ATK0100\Hcontrol.exe[836] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\ATK0100\Hcontrol.exe[836] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[848] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[848] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\alg.exe[884] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\alg.exe[884] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\winlogon.exe[988] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\winlogon.exe[988] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\services.exe[1032] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\services.exe[1032] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe[1036] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe[1036] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\lsass.exe[1044] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\lsass.exe[1044] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\AGRSMMSG.exe[1048] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\AGRSMMSG.exe[1048] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\SOUNDMAN.EXE[1156] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\SOUNDMAN.EXE[1156] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\svchost.exe[1224] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\svchost.exe[1224] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\svchost.exe[1308] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\svchost.exe[1308] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1348] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1348] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe[1400] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe[1400] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[1420] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[1420] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1444] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1444] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[1452] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[1452] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1564] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1564] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text D:\Documenti\0.Doc.18.11.04\Software\Tool\42ow3gxf.exe[1696] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text D:\Documenti\0.Doc.18.11.04\Software\Tool\42ow3gxf.exe[1696] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1784] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\spoolsv.exe[1784] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1852] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1852] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\svchost.exe[1952] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\svchost.exe[1952] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1968] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1968] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Java\jre6\bin\jqs.exe[1996] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Java\jre6\bin\jqs.exe[1996] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe[2020] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe[2020] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Iomega\DriveIcons\ImgIcon.exe[2328] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\Iomega\DriveIcons\ImgIcon.exe[2328] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe[2360] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe[2360] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\system32\rundll32.exe[2516] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\rundll32.exe[2516] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe[2544] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe[2544] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\File comuni\Java\Java Update\jusched.exe[2676] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\File comuni\Java\Java Update\jusched.exe[2676] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\ctfmon.exe[2692] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\ctfmon.exe[2692] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Microsoft ActiveSync\wcescomm.exe[2708] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Microsoft ActiveSync\wcescomm.exe[2708] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE[2756] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE[2756] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe[2832] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe[2832] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\Trend Micro\BM\TMBMSRV.exe[2852] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\BM\TMBMSRV.exe[2852] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2872] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2872] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\NETGEAR\WG111v2\WG111v2.exe[2896] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\NETGEAR\WG111v2\WG111v2.exe[2896] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\PROGRA~1\MICROS~3\rapimgr.exe[3032] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\PROGRA~1\MICROS~3\rapimgr.exe[3032] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Trend Micro\Internet Security\TmProxy.exe[3384] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\Internet Security\TmProxy.exe[3384] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Driver Mouse Class/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5@001783d2a72d 0xFF 0x03 0x54 0xB4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5@001256529a43 0xEF 0xC1 0x8F 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5@0022a5be185e 0x3B 0xC4 0x1D 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5@001783d2a72d 0xFF 0x03 0x54 0xB4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5@001256529a43 0xEF 0xC1 0x8F 0x5C ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5@0022a5be185e 0x3B 0xC4 0x1D 0x2E ...
---- EOF - GMER 1.0.15 ----
]
SSDT 8220CCE0 ZwCreateKey
SSDT 8220DE80 ZwCreateMutant
SSDT 8220C1E0 ZwCreateProcess
SSDT 8220C4A0 ZwCreateProcessEx
SSDT 8220DB40 ZwCreateThread
SSDT 8220D260 ZwDeleteKey
SSDT 8220D520 ZwDeleteValueKey
SSDT 8220DCE0 ZwLoadDriver
SSDT 8220C760 ZwOpenProcess
SSDT 8220E020 ZwSetSystemInformation
SSDT 8220CFA0 ZwSetValueKey
SSDT 8220CA20 ZwTerminateProcess
SSDT 8220D9A0 ZwWriteVirtualMemory
---- User code sections - GMER 1.0.15 ----
.text C:\Programmi\Trend Micro\Internet Security\TmPfw.exe[240] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\Internet Security\TmPfw.exe[240] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[268] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[268] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\Explorer.EXE[772] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\Explorer.EXE[772] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\ATK0100\Hcontrol.exe[836] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\ATK0100\Hcontrol.exe[836] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[848] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[848] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\alg.exe[884] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\alg.exe[884] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\winlogon.exe[988] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\winlogon.exe[988] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\services.exe[1032] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\services.exe[1032] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe[1036] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\Internet Security\UfSeAgnt.exe[1036] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\lsass.exe[1044] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\lsass.exe[1044] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\AGRSMMSG.exe[1048] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\AGRSMMSG.exe[1048] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\SOUNDMAN.EXE[1156] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\SOUNDMAN.EXE[1156] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\svchost.exe[1224] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\svchost.exe[1224] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\svchost.exe[1308] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\svchost.exe[1308] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1348] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1348] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe[1400] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe[1400] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[1420] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[1420] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1444] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1444] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[1452] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[1452] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1564] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1564] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text D:\Documenti\0.Doc.18.11.04\Software\Tool\42ow3gxf.exe[1696] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text D:\Documenti\0.Doc.18.11.04\Software\Tool\42ow3gxf.exe[1696] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1784] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\spoolsv.exe[1784] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1852] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1852] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\svchost.exe[1952] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\svchost.exe[1952] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\svchost.exe[1968] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\svchost.exe[1968] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Java\jre6\bin\jqs.exe[1996] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Java\jre6\bin\jqs.exe[1996] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe[2020] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe[2020] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Iomega\DriveIcons\ImgIcon.exe[2328] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\Iomega\DriveIcons\ImgIcon.exe[2328] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe[2360] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe[2360] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\system32\rundll32.exe[2516] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\rundll32.exe[2516] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe[2544] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Ahead\Nero BackItUp\NBKeyScan.exe[2544] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\File comuni\Java\Java Update\jusched.exe[2676] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\File comuni\Java\Java Update\jusched.exe[2676] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\system32\ctfmon.exe[2692] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\system32\ctfmon.exe[2692] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Microsoft ActiveSync\wcescomm.exe[2708] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Microsoft ActiveSync\wcescomm.exe[2708] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE[2756] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE[2756] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe[2832] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe[2832] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\Trend Micro\BM\TMBMSRV.exe[2852] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\BM\TMBMSRV.exe[2852] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2872] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2872] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\NETGEAR\WG111v2\WG111v2.exe[2896] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Programmi\NETGEAR\WG111v2\WG111v2.exe[2896] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\PROGRA~1\MICROS~3\rapimgr.exe[3032] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\PROGRA~1\MICROS~3\rapimgr.exe[3032] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
.text C:\Programmi\Trend Micro\Internet Security\TmProxy.exe[3384] SHELL32.dll!SHFileOperationW 7CA807BB 5 Bytes JMP 3000141E
.text C:\Programmi\Trend Micro\Internet Security\TmProxy.exe[3384] SHELL32.dll!SHFileOperation 7CA80AA3 5 Bytes JMP 30001430
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Driver Mouse Class/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5@001783d2a72d 0xFF 0x03 0x54 0xB4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5@001256529a43 0xEF 0xC1 0x8F 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158313b0b5@0022a5be185e 0x3B 0xC4 0x1D 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5@001783d2a72d 0xFF 0x03 0x54 0xB4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5@001256529a43 0xEF 0xC1 0x8F 0x5C ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158313b0b5@0022a5be185e 0x3B 0xC4 0x1D 0x2E ...
---- EOF - GMER 1.0.15 ----
]