Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Robogold Popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Robogold Popups

Unread postby sined » August 12th, 2006, 1:33 pm

Hi all,

I keep on getting robogold popups any time a do a search using a search engine. I've already run in safe mode at same time AdAware, MS Defender and Spyware doctor which found something but I still have this annoying popups.

The following is the HJT Log.

Thanks a lot for your help!

-------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 19.30.32, on 12/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [sysmt.exe] C:\WINDOWS\system32\sysmt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lesv1.exe] C:\WINDOWS\TEMP\lesv1.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F309C8-1ABF-4E45-966F-9459F1EEDD79}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: st3d - C:\WINDOWS\g7262296.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcmt.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm
Advertisement
Register to Remove

Unread postby Jag11 » August 13th, 2006, 3:05 am

Hi and welcome! Image

I'm Jet Ian Image, and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1

Unread postby Jag11 » August 13th, 2006, 3:23 am

You may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. It is also important for you to don't miss a step and perform everything in the right order.

=====================================

Do you recognize these IPs? (click them for more info)

85.37.17.4
85.38.28.70

=====================================

Update Java
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windows-i586-p to install the newest version.
=====================================

I notice that you have Windows Defender running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. You can re-enable this when your computer is already clean.

Disable Windows Defender
  • Go to Tools » General Settings
  • Scroll down to Real-time protection options
  • Uncheck Turn on real-time protection (recommended)
Then, in the toolbar across the top there is a little downpointing arrow next to the question mark icon.
Click on that, get a drop down list. One of the options is to exit Windows Defender.
Click on that, and there will be a pop up asking if you are sure you want to exit. Click Yes/OK.

=====================================

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c\windelf.txt later.

=====================================

Download Ewido Anti-Spyware
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Click on the Settings tab.
    • Under How to act? click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan? all boxes should be selected.
    • Under Possibly unwanted software: all boxes should be checked.
    • Under Reports: click on Automatically generate report after every scan.
    • Under What to scan? select Scan every file.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
  • If you are having problems with the updater, you can use this link to manually update ewido » Ewido manual updates.
=====================================

1. Click Start > Run > type (or copy & paste): sc stop 11Fßä#·ºÄÖ`I > OK
2. Click Start > Run > type (or copy & paste): sc delete 11Fßä#·ºÄÖ`I > OK

=====================================



Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
O4 - HKLM\..\Run: [sysmt.exe] C:\WINDOWS\system32\sysmt.exe
O4 - HKLM\..\Run: [lesv1.exe] C:\WINDOWS\TEMP\lesv1.exe
O20 - Winlogon Notify: st3d - C:\WINDOWS\g7262296.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcmt.exe (file missing)

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Show Hidden Files and Folders

Click Start » My Computer » Tools » Folder Options. Select the View tab.
  • Check - Show hidden files and folders
  • Uncheck - Hide file extensions for known types
  • Uncheck - Hide protected operating system files
Click Yes to confirm, then OK to exit.

=====================================

Reboot into Safe Mode
  • Restart your computer.
  • Before the Windows logo appear, tap F8 repeatedly.
  • A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
  • This will take a while than usual, so just wait.
=====================================

Locate and delete the following file(s), if present :
    C:\WINDOWS\lykeh1.dll
    C:\WINDOWS\system32\sysmt.exe
    C:\WINDOWS\TEMP\lesv1.exe
    C:\WINDOWS\g7262296.dll
    C:\WINDOWS\mfcmt.exe

=====================================

Clear IE's Cookies and Cache
  • Close all instances of Outlook Express and Internet Explorer.
  • Go to Control Panel » Internet Options » General tab.
  • Click the Delete Cookies.
  • Next to it, Click the Delete Files button.
  • When prompted, place a check in: Delete all offline content, click OK.
Clear Firefox' Cookies ( in case you also have the Firefox browser )
  • Open Firefox.
  • Click Tools » Options.
  • Click the Privacy tab, then the Cookies tab.
  • Click the Clear Cookies Now button.
  • Then click OK to exit.
Clean Temporary Files
  • Go to Start » Run » type: cleanmgr » OK.
  • Choose (C:) and then click OK.
  • Make sure these are the only ones that are checked :
    • Temporary Internet Files
    • Temporary Files
    • Recycle Bin
  • Click OK to remove them.
  • Click Yes to confirm the deletion.

Run Ewido Anti-Spyware
  • Please close all Windows, Programs or Browsers.
  • Open Ewido.
  • Click on Scanner
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When scan has finished, at bottom of the screen click Apply all Actions.
  • Click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
=====================================

Restart your computer

=====================================

In your next reply, please include these log(s):
  • HijackThis log (new)
  • Ewido
  • c\windelf.txt
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1

Robogold popups

Unread postby sined » August 13th, 2006, 12:02 pm

Hi,

first thanks a lot for your prompt reply. In the following you find the logs.

Regards, Sined

-----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18.00.16, on 13/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F309C8-1ABF-4E45-966F-9459F1EEDD79}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcmt.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe


-------------------------------------------------------------------------------------


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 17.51.43 13/08/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{24F52FD3-D9CD-C5B4-2108-1DBD812D6F79} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{58E19DDB-FF55-C80E-005C-675F6F8331B0} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8EDA2BD3-6A45-E3A2-BF45-6B2B79D7BCFF} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{B313D072-CA09-CE7B-53F4-0E378F9B8770} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\10B.tmp -> Adware.LinkOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\AE.tmp -> Adware.LinkOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\F.tmp -> Adware.LinkOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6PT_0001_N91M2107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@hertz.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@homestore.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@imc2.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@pinnaclesystems.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@preferredhotelgroup.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\xp\Cookies\xp@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end


------------------------------------------------------------------------------------


************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
st3d.dll

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"
"{86AA461F-2A5B-4889-B543-E1BBA6746D61}"="st3d"


sharedtaskkey: 86AA461F-2A5B-4889-B543-E1BBA6746D61
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86AA461F-2A5B-4889-B543-E1BBA6746D61}]
@="C:\\WINDOWS\\g7262296.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86AA461F-2A5B-4889-B543-E1BBA6746D61}\InprocServer32]
@="C:\\WINDOWS\\g7262296.dll"
"ThreadingModel"="Apartment"



Notify key
----------
subkey st3d is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"



Notify key
----------
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Jag11 » August 14th, 2006, 5:30 am

Ok, let's continue :)

You may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. It is also important for you to don't miss a step and perform everything in the right order.

=====================================

Stop and Disable a Service

  • Go to Start » Run » type: Services.msc » OK.
  • Scroll down and find this service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I)
  • Double-click on it.
  • Under the General tab, click the Stop button.
  • Then change the Startup Type to Disabled.
  • Click Apply and then OK.
Next:
  • Open HiJackThis, then click on None of the above, just start the program.
  • Click on the Config button (bottom right).
  • Click on Misc Tools, then click on Delete an NT Service.
  • Enter the this words into that field: 11Fßä#·ºÄÖ`I <~ there's a space before the first number (<space>1).
  • Click OK and select NO when asked to reboot.
=====================================

Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Restart and post a new HJT log. :)
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1

Unread postby Jag11 » August 15th, 2006, 5:39 am

How's it going now? Can you also do this for me?

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.
=====================================

Download and run Blacklight.

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.

When it finishes, click Next.

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log.
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1

Robogold popups

Unread postby sined » August 15th, 2006, 4:13 pm

Hi,

here is the new HJT. I tried to use google again and it looks like I don't have popups anymore even if one time I was redirected to the robogold site again.

Tomorrow morning I'll try the other tool you suggested.

Thanks, Sined

-----------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 22.10.55, on 15/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F309C8-1ABF-4E45-966F-9459F1EEDD79}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Robogold popups

Unread postby sined » August 15th, 2006, 6:05 pm

Hi,

here is the log for root kit. I tried to run blacklight as administrator in safe mode (the user I usual use has administrator right anyway) but it says that "...couldn't acquire necessary privileges (SeDubugPrivilege)."

Thanks, Sined

-------------------------------------------------------------------------------------

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 09/08/2006 10.03 34 bytes Windows API length not consistent with raw hive data.
C:\WINDOWS\lykeh1.dll 15/08/2006 22.02 63.16 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\ACRORD32.EXE-3323E31B.pf 13/08/2006 12.24 60.20 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ALBUMDB2.EXE-252F6A41.pf 13/08/2006 17.55 16.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf 14/08/2006 9.49 17.40 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\APPSTOP.EXE-13574D33.pf 12/08/2006 1.06 6.05 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AVASTU3.EXE-0066380A.pf 11/08/2006 22.21 45.47 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AVGNT.EXE-0F4341E4.pf 11/08/2006 21.42 52.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AVNOTIFY.EXE-2508735D.pf 11/08/2006 21.42 115.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AVU3_UPD.EXE-32B515C0.pf 12/08/2006 1.06 7.33 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AVU3LAUNCHER.EXE-3548157C.pf 12/08/2006 1.06 13.97 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\BLACKICE.EXE-24D65F9B.pf 15/08/2006 22.06 27.10 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\BW.EXE-23779544.pf 15/08/2006 22.18 12.28 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CCAPP.EXE-22E68F52.pf 15/08/2006 22.06 21.25 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CHCP.COM-18156052.pf 15/08/2006 22.19 6.22 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CLEANUP.EXE-051A23BC.pf 12/08/2006 1.06 10.04 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf 15/08/2006 22.06 16.99 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf 13/08/2006 20.39 14.79 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf 13/08/2006 20.39 65.84 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DLLHOST.EXE-5353C76C.pf 14/08/2006 9.49 26.70 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf 12/08/2006 1.11 7.62 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf 12/08/2006 1.11 8.07 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\EWIDO-SETUP_4.0.0.172C.EXE-015AAE00.pf 13/08/2006 16.05 30.76 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\FIND.EXE-0EC32F1E.pf 13/08/2006 16.02 11.39 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\FINDSTR.EXE-0CA6274B.pf 13/08/2006 16.02 11.39 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\FXSSVC.EXE-3B8F7819.pf 14/08/2006 9.49 22.92 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\GUARD.EXE-1F8DAEF7.pf 13/08/2006 16.06 50.57 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HELPCTR.EXE-3862B6F5.pf 15/08/2006 21.57 70.97 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HELPHOST.EXE-247D2792.pf 15/08/2006 21.57 36.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HJTSETUP[1].EXE-23AA43D8.pf 12/08/2006 18.47 13.42 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HPDARC.EXE-072E406D.pf 13/08/2006 17.56 15.18 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HPWUSCHD2.EXE-22706560.pf 15/08/2006 22.06 8.53 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HPZENG09.EXE-21FF5F4F.pf 13/08/2006 12.29 14.54 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HPZSTC09.EXE-3AFDDA16.pf 13/08/2006 12.29 9.94 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ICQLITE.EXE-2375E98B.pf 11/08/2006 23.20 59.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf 14/08/2006 9.49 17.52 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\IPODSERVICE.EXE-387C9A1D.pf 14/08/2006 9.49 15.57 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\IS-P9GEA.TMP-13D2E7CD.pf 12/08/2006 18.47 18.67 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ITUNESHELPER.EXE-3636184C.pf 15/08/2006 22.06 14.51 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JAVA.EXE-01C7E6CC.pf 14/08/2006 10.22 9.36 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JAVAW.EXE-05E73B2B.pf 13/08/2006 12.45 26.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JAVAW.EXE-1DA9F6E6.pf 13/08/2006 15.49 29.29 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JAVAW.EXE-29F48844.pf 13/08/2006 15.49 93.82 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JAVAWS.EXE-239C1188.pf 13/08/2006 12.45 48.98 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JRE-1_5_0_08-WINDOWS-I586-P.E-01349430.pf 13/08/2006 15.47 56.97 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JUCHECK.EXE-002C045F.pf 14/08/2006 10.23 31.99 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\LAUNCHER.EXE-02475A07.pf 13/08/2006 15.48 7.30 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\LOGITRAY.EXE-03670A78.pf 15/08/2006 22.06 17.25 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MMC.EXE-398DCF39.pf 15/08/2006 21.58 55.59 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPAS-D.EXE-2F969366.pf 15/08/2006 21.52 25.15 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPAS-FE.EXE-03A19C8B.pf 12/08/2006 18.39 39.10 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPSIGSTUB.EXE-136F86F1.pf 15/08/2006 21.52 14.13 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPSIGSTUB.EXE-264EB755.pf 12/08/2006 18.39 14.85 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSASCUI.EXE-16A7D62A.pf 15/08/2006 22.06 25.98 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf 13/08/2006 15.48 100.94 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSINFO32.EXE-2258DA4A.pf 15/08/2006 21.54 22.12 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSNMSGR.EXE-09AF9BF4.pf 15/08/2006 22.06 45.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PATCHJRE.EXE-38C340FA.pf 13/08/2006 15.48 34.19 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PROCESS.EXE-06416A34.pf 13/08/2006 16.02 5.56 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\QTTASK.EXE-27A34FF0.pf 15/08/2006 22.06 9.69 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\REBOOT.EXE-180BD280.pf 13/08/2006 16.02 5.36 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf 13/08/2006 16.02 12.35 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf 12/08/2006 18.50 12.02 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ROOTKITREVEALER.EXE-11A927B6.pf 15/08/2006 22.18 12.74 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-12B7EA69.pf 15/08/2006 21.56 30.84 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-12E27DD0.pf 13/08/2006 21.08 17.31 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-147710F4.pf 15/08/2006 21.55 69.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf 13/08/2006 12.28 11.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf 13/08/2006 12.28 12.68 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4A877817.pf 13/08/2006 12.43 60.92 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RZUS.EXE-101E041C.pf 14/08/2006 9.49 12.69 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf 14/08/2006 9.49 11.46 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf 12/08/2006 9.56 17.87 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UNPACK200.EXE-220B2A6B.pf 13/08/2006 15.48 37.02 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-02EB83E8.pf 13/08/2006 15.49 79.64 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-067729DC.pf 13/08/2006 21.16 77.85 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-07C3F668.pf 13/08/2006 15.49 68.67 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-137ACA41.pf 13/08/2006 15.49 73.51 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-14C69E48.pf 13/08/2006 12.18 71.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-17FBE228.pf 12/08/2006 18.20 71.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-1A349B6D.pf 13/08/2006 12.18 71.51 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-1FFA3320.pf 13/08/2006 21.15 76.49 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-24BA68DC.pf 13/08/2006 21.15 74.43 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-2B2F613C.pf 13/08/2006 12.18 68.68 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-2D740814.pf 13/08/2006 21.15 77.83 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-315A4691.pf 13/08/2006 21.14 73.97 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-373914CB.pf 13/08/2006 21.16 68.55 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPDATE.EXE-39DF5749.pf 13/08/2006 21.16 73.48 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\VPTRAY.EXE-2D128BA2.pf 15/08/2006 22.06 19.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WIN32DELFKIL.EXE-379160E4.pf 13/08/2006 15.58 42.71 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WINZIP32.EXE-335422C1.pf 15/08/2006 22.17 30.62 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WISPTIS.EXE-0C21B942.pf 13/08/2006 12.24 19.63 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WMPLAYER.EXE-3717B9AA.pf 13/08/2006 18.25 54.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WMPLAYER.EXE-3717B9AD.pf 13/08/2006 18.25 52.37 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\YPAGER.EXE-0592D06F.pf 11/08/2006 22.30 52.55 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\YUPDATER.EXE-1967A3F9.pf 11/08/2006 22.31 27.86 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ZIPPER.EXE-20383486.pf 13/08/2006 15.48 81.91 KB Visible in Windows API, but not in MFT or directory index.
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Jag11 » August 17th, 2006, 4:17 am

Ok, let's do this! :)

You may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. It is also important for you to don't miss a step and perform everything in the right order.

=====================================

Navigate to this folder :

C:/documents and settings/

You will see your system accounts there, tell me if you notice a name that you don't recognize. Tell me that folder later.

=====================================



Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
Click Exit on the Main menu to close the program.

=====================================

Then :

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\lykeh1.dll

Folders to Delete:
c:\windows\temp


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


=====================================

Post a new hjt log along with the Avenger log. :)
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1

Robogold popups

Unread postby sined » August 17th, 2006, 9:05 am

Hi,

regarding accounts, the following is the one I've never seen:

- C:\Documents and Settings\EgEapiPHruDPfnGcV

There are also the following accounts which I think are Windows related:

- LocalServices
- NetworkServices

In the following the required logs.

Thanks for your help,

Sined

------------------------------------------------------------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qnrefgbt

*******************

Script file located at: \??\C:\Documents and Settings\klqbclqf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\lykeh1.dll deleted successfully.
Folder c:\windows\temp deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.


------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 15.00.35, on 17/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F309C8-1ABF-4E45-966F-9459F1EEDD79}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Jag11 » August 21st, 2006, 12:23 am

Sorry for the delay sined..

Could you go to Start > Control Panel > User Accounts > then delete this account if it's there : EgEapiPHruDPfnGcV

=====================================



Next delete this folder please :

C:\Documents and Settings\EgEapiPHruDPfnGcV

=====================================

Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Reboot your computer.

Post these logs please :

>> new hijackthis log
>> new rootkitrevealer log

-- Jet :)
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1

Unread postby sined » August 21st, 2006, 4:01 am

Hi,

unfortunately the user is not showed through the "User Account", therefore I'm not able to delete it. I tried also to see if it were available running in safe mode...but it's not.

How should I proceed?

Thanks,Sined
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Jag11 » August 21st, 2006, 4:32 am

Try this sined.

Click Start, and then click Control Panel. click Administrative Tools, and then double-click Computer Management > System Tools > Local Users and Groups > Users


Right-click that account name then Delete.
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1

Unread postby sined » August 21st, 2006, 8:26 am

Hi,

here are the logs. Just FYI, I don't have popups anymore, and I don't see anymore the little latency in opening the browser from an another broswser instance.

BTW...what are all the hidden files (images, etc) I see in the rootkit logs?

thanks, Sined


-------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 13.58.38, on 21/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {ECDFD956-C2EC-44F8-A553-3837EAA31F5C} - http://gromozon.com/eb2570a8/50400/1/xp/FreeAccess.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NIEFMEUB - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\xp\IMPOST~1\Temp\NIEFMEUB.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe





-------------------------------------------------------------------------------------



HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 25/02/2005 19.08 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\xp\Cookies\xp@insightexpressai[1].txt 19/08/2006 19.38 1.02 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Cookies\xp@insightexpressai[2].txt 21/08/2006 14.15 1.11 KB Hidden from Windows API.
C:\Documents and Settings\xp\Cookies\xp@statse.webtrendslive[1].txt 21/08/2006 14.02 222 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Cookies\xp@statse.webtrendslive[2].txt 20/08/2006 20.12 222 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Cookies\xp@yahoo[1].txt 21/08/2006 8.44 667 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Cookies\xp@yahoo[2].txt 21/08/2006 14.18 649 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Dati applicazioni\Skype\denis_billiato\chat256.dbb 21/08/2006 14.02 0 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Dati applicazioni\Skype\denis_billiato\chatsync\a2 21/08/2006 14.02 0 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Dati applicazioni\Skype\denis_billiato\chatsync\a2\a21255975a6429be.dat 21/08/2006 14.02 1.29 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temp\~DF348B.tmp 21/08/2006 14.13 512 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\0112_country_ch_it_h38[1].gif 21/08/2006 14.02 508 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\080806_mortarboard_star_ne4_105x60[1].gif 21/08/2006 14.18 3.09 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\20708_PE039139_S2[1].jpg 21/08/2006 14.02 1012 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\29083_PE115981_S2[1].jpg 21/08/2006 14.02 1.60 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\43758_PE139564_S2[1].jpg 21/08/2006 14.02 1.32 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\adress_22x22[1].gif 21/08/2006 14.02 252 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\BD544_mutandata[1].jpg 21/08/2006 14.17 55.35 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\BD544_mutandata[1].jpg:Zone.Identifier 21/08/2006 14.17 26 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\cookie_util[1].js 21/08/2006 14.02 1.70 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\dotline163[1].gif 21/08/2006 14.02 43 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\hp_02[1].gif 21/08/2006 14.17 5.16 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\ico_tab[1].png 21/08/2006 14.03 2.03 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\jsPop[1].js 21/08/2006 14.02 2.62 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\mail_blue_all[2].css 21/08/2006 14.14 42.96 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\ms_01[1].gif 21/08/2006 14.17 4.61 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\nav02[1].js 21/08/2006 14.02 7.34 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\PID_119278_peopleA728x90[1].swf 21/08/2006 14.18 22.32 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\rc_wg2w_ne_1[1].gif 21/08/2006 14.14 111 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\rc_wg2w_se_1[1].gif 21/08/2006 14.14 111 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\rc_wg2w_sw_1[1].gif 21/08/2006 14.14 111 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\0TIZSTIV\restaurant_128x60[1].jpg 21/08/2006 14.02 2.11 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\1947OUJH\20060809_74986_1_425x600_mon_mail_accolades_rev1[1].swf 21/08/2006 14.17 38.24 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\1947OUJH\25x25_alien_head_circle1[1].gif 21/08/2006 14.17 753 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\1947OUJH\bt_b_dd_2[1].gif 21/08/2006 14.15 77 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\1947OUJH\CAH62TDT.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\1947OUJH\ShowFolder[1].htm 21/08/2006 14.18 197.16 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\1947OUJH\txtmess12_1[1].gif 21/08/2006 14.15 134 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\bnr_11[1].jpg 21/08/2006 14.18 10.47 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\CA4XIRGL.swf 21/08/2006 14.14 24.62 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\mc1[1].js 21/08/2006 14.14 81 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\mc2[1].js 21/08/2006 14.14 6.60 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\PRScript[1].txt 21/08/2006 14.14 8.16 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\re4_25x25[1].jpg 21/08/2006 14.15 1.15 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\schematizedstore[2].xml 21/08/2006 14.03 3.06 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\space[1].gif 21/08/2006 14.15 43 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\tabsmiley[1].png 21/08/2006 14.04 4.96 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\title_search_rb[1].gif 21/08/2006 14.18 1.53 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\tr14x15_1[1].gif 21/08/2006 14.15 70 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\6KP38683\ymbnr_rb_ne[1].gif 21/08/2006 14.18 52 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\72O3NT45\activity;src=1237252;met=1;v=1;pid=13884276;aid=43259089;ko=0;cid=17827745;rid=17845640;rv=1;&timestamp=1156162705250;eid1=2;ecn1=1;etm1=5;[1].gif 21/08/2006 14.18 43 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\72O3NT45\cr_wrn_ne[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\72O3NT45\folderview[2].js 21/08/2006 14.15 7.25 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\72O3NT45\football25x25[1].gif 21/08/2006 14.14 653 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\72O3NT45\letter[2].js 21/08/2006 14.15 4.89 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\72O3NT45\ma_mail_1[1].gif 21/08/2006 14.14 1.37 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\72O3NT45\pool25x25_031504[1].gif 21/08/2006 14.14 393 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\abook_rdex_1[1].gif 21/08/2006 14.15 576 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\bnr_16[1].jpg 21/08/2006 14.14 10.20 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\bt_dd_l_2[1].gif 21/08/2006 14.14 70 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\CAKFBB5S.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\CAMB8XUR.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\clip_1[1].gif 21/08/2006 14.15 220 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\cr_wrn_nw[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\cr_wrn_se[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\cr_wrn_sw[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\mastercard_062005[1].gif 21/08/2006 14.17 1.24 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\messenger[1].png 21/08/2006 14.03 2.62 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\perc1[1].gif 21/08/2006 14.14 146 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\silho_neutral_1[1].gif 21/08/2006 14.14 568 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\87HV26RX\yregbase_200508171230[2].css 21/08/2006 14.17 5.74 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\06761_PE082661_S2[1].jpg 21/08/2006 14.02 942 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\45936_PE142523_S2[1].jpg 21/08/2006 14.02 1.04 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\52989_PE154887_S2[1].jpg 21/08/2006 14.02 1.40 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\cart20x16[1].gif 21/08/2006 14.02 89 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\CAVS1V78.swf 21/08/2006 14.18 24.38 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\goBtn[1].gif 21/08/2006 14.02 166 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\icona[1].png 21/08/2006 14.03 459 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\login[1].htm 21/08/2006 14.14 61.12 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\login[2].htm 21/08/2006 14.17 21.60 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\mailcommonlib[2].js 21/08/2006 14.14 49.44 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\materazzi_128x60[1].gif 21/08/2006 14.02 3.30 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\pagetitle_bg[1].gif 21/08/2006 14.02 66 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\ShowLetter[1].htm 21/08/2006 14.15 66.47 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8XMJKXMN\top_logo[1].gif 21/08/2006 14.02 1.62 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\0552_eating_plp3_175x100[1].jpg 21/08/2006 14.02 4.06 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\05_22_06_fly_25x25_d[1].gif 21/08/2006 14.14 1.13 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\062606_72958_v1_728x90_super_pulsericohp[1].swf 21/08/2006 14.15 28.06 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\071706_gmoon_25x25_clearbackground[1].gif 21/08/2006 14.15 1.32 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\081406yahoo_nw1_heloc_25x25[1].gif 21/08/2006 14.14 308 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\20060519_70303_1_425x600_mon_arms[1].swf 21/08/2006 14.17 38.96 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\25337_PE088144_S2[1].jpg 21/08/2006 14.02 1.41 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\37114_PE129083_S2[1].jpg 21/08/2006 14.02 747 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\50881_PE150564_S2[1].jpg 21/08/2006 14.02 880 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\CA6HQUJN.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\CARR4YJF.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\CATDSEHS.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\cookwareit_128x60[1].jpg 21/08/2006 14.02 3.88 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\im12_1[1].gif 21/08/2006 14.16 312 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\rc_wc3c5_sw_1[1].gif 21/08/2006 14.17 166 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\Tabicon[1].png 21/08/2006 14.04 1.93 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\8Z43IN0Z\yregml_200605241435[1].js 21/08/2006 14.14 3.07 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\38223_PE130122_S3[1].jpg 21/08/2006 14.02 2.58 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\42833_PE138207_S2[1].jpg 21/08/2006 14.02 1010 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\48372_PE144683_S2[1].jpg 21/08/2006 14.02 1.11 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\bistecca-di-maiale_175x100[1].jpg 21/08/2006 14.02 4.58 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\blue_arrow[1].gif 21/08/2006 14.02 388 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\CAAYTHCO.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\CAB5ACTK.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\CAGUEW6X.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\call12_1[1].gif 21/08/2006 14.16 204 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\CAQAF9CJ.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\ct_yad_031016[1].js 21/08/2006 14.17 1.81 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\goBtn_over[1].gif 21/08/2006 14.02 138 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\IkeaNearYouView[1].htm 21/08/2006 14.02 97.57 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\inbc1[1].gif 21/08/2006 14.14 162 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\integrated_site[1].css 21/08/2006 14.02 12.35 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\IT_Advertiser_tormentoni_234x60_001[1].gif 21/08/2006 14.04 7.17 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\login[1].htm 21/08/2006 14.18 58.52 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\login[1].rand=53bb56ea0s76i 21/08/2006 14.18 15.22 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\navOptions[1].js 21/08/2006 14.02 950 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\pop3_1[1].gif 21/08/2006 14.14 54 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\pop4_1[1].gif 21/08/2006 14.14 54 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\salmone_175x100[1].jpg 21/08/2006 14.02 15.95 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\store_hours_22x22[1].gif 21/08/2006 14.02 310 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\video-icon25x25_022306[1].gif 21/08/2006 14.15 170 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AT4L61ST\yg_browserext_1_5[1].js 21/08/2006 14.14 2.86 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\CACJK7WT.HTM 21/08/2006 14.18 0 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\cr_srch_ne[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\cr_srch_nw[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\maria25[1].jpg 21/08/2006 14.15 1.05 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\nwmail16_1[1].gif 21/08/2006 14.14 1.04 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\piratescropped25[1].jpg 21/08/2006 14.17 958 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\reply[1].gif 21/08/2006 14.15 157 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\ShowFolder[1] 21/08/2006 14.18 16.45 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\ShowFolder[1].htm 21/08/2006 14.18 62.26 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\title_filters_ye[1].gif 21/08/2006 14.14 2.11 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\vmail16_1[1].gif 21/08/2006 14.14 608 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\AVI3MPEV\ymbnr_yl_ne[1].gif 21/08/2006 14.14 52 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\22201_PE084559_S2[1].jpg 21/08/2006 14.02 1.62 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\28832_PE115613_S2[1].jpg 21/08/2006 14.02 929 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\_;ord=1156162663405422[1].htm 21/08/2006 14.18 18.87 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\CA4T2L16.htm 21/08/2006 14.15 9.05 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\CA85I3KP.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\CATNU9HX.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\column_spacer_bg[1].gif 21/08/2006 14.02 49 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\fonts_200502080901[1].css 21/08/2006 14.14 739 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\PID_119278_stainback1A728x90[1].jpg 21/08/2006 14.18 2.38 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\PID_119278_staingraphicA728x90[1].swf 21/08/2006 14.18 7.65 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\rc_wc3c5_nw_1[1].gif 21/08/2006 14.14 167 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\ShowFolder[1].htm 21/08/2006 14.17 62.03 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\small_habbohotel[1].png 21/08/2006 14.03 1.54 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\sort_dn_1[1].gif 21/08/2006 14.15 96 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\EL1AVM94\ygma_2.19[2].css 21/08/2006 14.14 2.06 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\25x25_fishbowl_b[1].gif 21/08/2006 14.17 1.37 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\45779_PE142126_S2[1].jpg 21/08/2006 14.02 1.65 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\52847_PE154495_S2[1].jpg 21/08/2006 14.02 998 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\arrowred4x6[1].gif 21/08/2006 14.02 49 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\blkc1[1].gif 21/08/2006 14.14 177 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\blog_med[1].gif 21/08/2006 14.18 2.08 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\CA6R41YF.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\CAMZOT6N.swf 21/08/2006 14.15 13.56 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\CAU2WIVJ.bin 21/08/2006 14.14 25.02 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\CH_Grancia_2003[1].gif 21/08/2006 14.02 8.76 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\mirtilli_175x100[1].jpg 21/08/2006 14.02 5.09 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\novita_128x60[1].gif 21/08/2006 14.02 1.65 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\rc_wc3c5_se_1[1].gif 21/08/2006 14.17 167 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\spider_25x25[1].jpg 21/08/2006 14.18 1.59 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\tshc1[1].gif 21/08/2006 14.14 236 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\yahoo_25x25_0705_cherry01[1].gif 21/08/2006 14.15 1.10 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KDYRC9Y3\ymknb_yl[1].gif 21/08/2006 14.14 78 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\12092006[1].jpg 21/08/2006 14.02 23.13 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\45835_PE142232_S2[1].jpg 21/08/2006 14.02 1.51 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\55120_PE160125_S2[1].jpg 21/08/2006 14.02 1.15 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\addtomyyahoo4[1].gif 21/08/2006 14.15 719 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\butter45x32[1].png 21/08/2006 14.03 2.57 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\CA0VB3IS.swf 21/08/2006 14.18 26.02 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\cr_gg_se[1].gif 21/08/2006 14.14 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\cr_gg_sw[1].gif 21/08/2006 14.14 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\ebaylogo[1].png 21/08/2006 14.03 1.07 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\frame2[1].gif 21/08/2006 14.14 2.05 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\globalTemplate_15_06[1].js 21/08/2006 14.18 51.75 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\IF_prodotti_250x250[1].gif 21/08/2006 14.02 47.48 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\phone_22x22[1].gif 21/08/2006 14.02 267 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\px_w[1].gif 21/08/2006 14.15 43 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\shd_r_2[1].gif 21/08/2006 14.14 50 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\KXKJ8N8J\ShowFolder[1].htm 21/08/2006 14.17 49.54 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\01[1].htm 21/08/2006 14.04 234 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\282940_062006_2006_imageantivirus[1].gif 21/08/2006 14.16 826 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\51272_PE150763_S2[1].jpg 21/08/2006 14.02 1015 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\54587_PE153078_S2[1].jpg 21/08/2006 14.02 1.40 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\BD544-mutandata[1].jpg 21/08/2006 14.16 55.35 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\CAMBKHMV.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\gr-da-me_175x100[1].gif 21/08/2006 14.02 5.50 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\msn_music_downloads[1].png 21/08/2006 14.04 958 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\PID_119288_stainA300x250[1].jpg 21/08/2006 14.18 8.89 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\PID_119288_stainback1A300x250[1].jpg 21/08/2006 14.18 8.38 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\pop7_1[1].gif 21/08/2006 14.14 54 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\rc_wg2w_nw_1[1].gif 21/08/2006 14.14 111 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\ShowFolder[1].htm 21/08/2006 14.15 75.67 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\ylib_dom[1].js 21/08/2006 14.14 4.66 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\MXID6T03\ymknb_rb[1].gif 21/08/2006 14.18 78 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\072106_icon_25x25_en[1].gif 21/08/2006 14.17 1.46 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\breakfast175x100[1].jpg 21/08/2006 14.02 3.10 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\CA6NG1YB.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\CAWL0PW5.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\icon[1].png 21/08/2006 14.03 2.48 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\mail.yahoo[1].htm 21/08/2006 14.18 17.43 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\mc[1].js 21/08/2006 14.14 405 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\msn_incontri[1].png 21/08/2006 14.03 2.69 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\ShowFolder[1] 21/08/2006 14.15 17.22 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\ShowFolder[1].htm 21/08/2006 14.15 74.63 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\src_wc4w_sw_1[1].gif 21/08/2006 14.14 95 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\trans[1].gif 21/08/2006 14.14 44 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O4KOOEUO\ymail_ec_logo_1[1].gif 21/08/2006 14.14 5.19 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\20928_PE105991_S2[1].jpg 21/08/2006 14.02 1.80 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\25x25-usflag-01[1].gif 21/08/2006 14.18 141 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\45657_PE141907_S2[1].jpg 21/08/2006 14.02 1.32 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\50774_PE150516_S2[1].jpg 21/08/2006 14.02 1.72 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\_;ord=1156162671680275[1].htm 21/08/2006 14.18 18.84 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\CA69Y125.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\CAKH2ROP.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\CAMD6HMD.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\dftc1[1].gif 21/08/2006 14.14 223 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\expedia[1].png 21/08/2006 14.03 2.62 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\Family_logo_128x60[1].gif 21/08/2006 14.02 1.13 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\fm[1].htm 21/08/2006 14.15 2.40 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\gift_financing_250x400[1].jpg 21/08/2006 14.02 17.52 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\inbo1[1].gif 21/08/2006 14.15 227 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\logo92x33[1].gif 21/08/2006 14.02 715 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\myaccount[1].js 21/08/2006 14.02 6.93 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\s1x1[1].gif 21/08/2006 14.02 42 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\ShowLetter[1].htm 21/08/2006 14.17 50.69 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\sntc1[1].gif 21/08/2006 14.14 219 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\O9AJ8L2R\ymknb_lb[1].gif 21/08/2006 14.14 78 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\_;ord=1156162671680275[1] 21/08/2006 14.18 11 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\bc_2.0.3[2].js 21/08/2006 14.14 1.91 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\bt_s_dd_2[1].gif 21/08/2006 14.14 122 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\CA9YO91Q.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\CAEXYHCP.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\CAT9W2U8.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\login_md5_1_12[1].js 21/08/2006 14.14 7.86 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\search[1].png 21/08/2006 14.04 2.00 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\shd_l_1[1].gif 21/08/2006 14.14 50 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\shift1[1].gif 21/08/2006 14.14 57 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\sp_mobile_1[1].gif 21/08/2006 14.18 1.54 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\QXOFWNAB\src_wc4w_se_1[1].gif 21/08/2006 14.14 95 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\071406_yhoo_jump_st[1].gif 21/08/2006 14.14 3.11 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\250x250_i[1].jpg 21/08/2006 14.02 23.02 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\30353_PE103235_S2[1].jpg 21/08/2006 14.02 1.58 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\41341_PE135756_S2[1].jpg 21/08/2006 14.02 1.43 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\CA4PMTVW.htm 21/08/2006 14.18 4.95 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\cp2403_MatchWord[1].png 21/08/2006 14.03 1.75 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\cr_gg_ne[1].gif 21/08/2006 14.14 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\cr_gg_nw[1].gif 21/08/2006 14.14 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\cr_gr_01[1].gif 21/08/2006 14.17 108 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\cr_srch_se[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\mushroom_25x25_04_25_06_c[1].gif 21/08/2006 14.17 888 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\opening_hours1_250x200[1].jpg 21/08/2006 14.02 8.14 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\pixel[1].gif 21/08/2006 14.15 42 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\radio-icon25x25_051606[1].gif 21/08/2006 14.15 169 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\wtrends[1].js 21/08/2006 14.02 3.33 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\STOXUF4T\YLock[1].gif 21/08/2006 14.14 808 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\22887_PE089759_S2[1].jpg 21/08/2006 14.02 725 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\25745_PE110575_S2[1].jpg 21/08/2006 14.02 850 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\42753_PE137956_S2[1].jpg 21/08/2006 14.02 1.35 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\728x90-banner[1].swf 21/08/2006 14.18 35.03 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\adServer[1].aspx 21/08/2006 14.15 0 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\bc_1.7.3[1].js 21/08/2006 14.14 1.88 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\blko1[1].gif 21/08/2006 14.17 245 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\bt_dd_2[1].gif 21/08/2006 14.14 70 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\CAEGBSKJ.bin 21/08/2006 14.03 272 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\CANPLICN.bin 21/08/2006 11.29 272 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\cr_srch_sw[1].gif 21/08/2006 14.17 94 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\MotifExternalScript_01_01[1].js 21/08/2006 14.18 58 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\MsgrConfig[1].xml 21/08/2006 14.03 23.81 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\PRScript[1].txt 21/08/2006 14.18 8.39 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\rc_c4c3w_se_1[1].gif 21/08/2006 14.14 164 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\shd_m_2[1].gif 21/08/2006 14.14 67 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\src_wc4w_nw_1[1].gif 21/08/2006 14.14 95 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\tessuti_250x250[1].jpg 21/08/2006 14.02 18.41 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\UX8FIX65\thumbnail[1].png 21/08/2006 14.03 2.13 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\080406_hsbc_trophy[1].gif 21/08/2006 14.17 538 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\abook_add_1[1].gif 21/08/2006 14.15 607 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\CAOT0XWJ.htm 21/08/2006 14.14 9.74 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\ct_yad_040901[1].js 21/08/2006 14.17 1.81 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\norton2006[1].gif 21/08/2006 14.14 813 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\PID_119288_peopleA300x250[1].swf 21/08/2006 14.18 19.95 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\PID_119288_stainback2A300x250[1].jpg 21/08/2006 14.18 8.09 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\qt_lo_1[1].gif 21/08/2006 14.14 68 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\sp_msgr60_1[1].gif 21/08/2006 14.14 1.55 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\V6IYUUQS\src_wc4w_ne_1[1].gif 21/08/2006 14.14 95 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\0113_ch_grancia_38[1].gif 21/08/2006 14.02 488 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\20320_PE105486_S2[1].jpg 21/08/2006 14.02 1.03 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\25x25_heart[1].gif 21/08/2006 14.18 905 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\30464_PE118970_S2[1].jpg 21/08/2006 14.02 932 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\back_to_top_arrow[1].gif 21/08/2006 14.02 118 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\blt_sqr[1].gif 21/08/2006 14.17 44 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\CA1WVUR3.swf 21/08/2006 14.15 34.91 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\fade533_top[1].gif 21/08/2006 14.02 490 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\grancia_80x90[1].gif 21/08/2006 14.02 3.75 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\lhsop[1].css 21/08/2006 14.02 3.14 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\msn_icon[1].png 21/08/2006 14.03 1.18 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\myyhp_2.1[2].js 21/08/2006 14.14 3.15 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\Novita_250x160[1].jpg 21/08/2006 14.02 5.08 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\PID_119278_napkingraphicA728x90[1].swf 21/08/2006 14.18 3.96 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\PRScript[1].txt 21/08/2006 14.15 8.39 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\rc_c4c3w_sw_1[1].gif 21/08/2006 14.14 164 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\rc_wc3c5_ne_1[1].gif 21/08/2006 14.14 167 bytes Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\tb_02[1].gif 21/08/2006 14.17 3.96 KB Hidden from Windows API.
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\XVFF5PKE\yregml_200604111840[1].css 21/08/2006 14.14 10.66 KB Hidden from Windows API.
C:\System Volume Information\_restore{03040184-76C0-45DD-9FC9-678823937A85}\RP282\A0057748.new 21/08/2006 13.35 1.52 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-459D5372.pf 21/08/2006 14.17 26.33 KB Hidden from Windows API.
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Jag11 » August 21st, 2006, 8:42 am

Good job.. :) We got rid of that crap now!

Just one last step :

Clear IE's Cookies and Cache
  • Close all instances of Outlook Express and Internet Explorer.
  • Go to Control Panel » Internet Options » General tab.
  • Click the Delete Cookies.
  • Next to it, Click the Delete Files button.
  • When prompted, place a check in: Delete all offline content, click OK.
Clean Temporary Files
  • Go to Start » Run » type: cleanmgr » OK.
  • Choose (C:) and then click OK.
  • Make sure these are the only ones that are checked :
    • Temporary Internet Files
    • Temporary Files
    • Recycle Bin
  • Click OK to remove them.
  • Click Yes to confirm the deletion.
Other than that, your log looks clean now! :)

Now that you're clean, please follow these simple steps in order to keep your computer clean and secure:

1.) Re-Hide System Files and Folders:
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View tab
  • Deselect the Show hidden files and folders option
  • Select the Hide protected operating system files option
  • Click Yes to confirm
  • Click OK
2.) Reset and Re-enable your System Restore

We need to do this to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Click Start » Run » ( type: SYSDM.CPL ) » OK
  • Click the System Restore tab.
  • Check - Turn off System Restore.
  • Click Apply.
  • Uncheck - Turn off System Restore.
  • Click OK.
You have now flushed your previous System Restore points, so we will make a new one again since your computer is already clean.
  • Go to Start » All Programs » Accessories » System Tools, and select System Restore
  • In the System Restore prompt, select: Create a restore point
  • Click Next
  • Give a description to the new Restore Point. (Something like: Clean PC)
  • Click Create
  • Then close the window
3.) How to Prevent Re-Infection

Please take your time reading on this list, it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this, open Internet Explorer, then and select Tools » Windows Update, and follow the online instructions from there.
  • Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Firewall (a must!) - It is definitely a must have. Two good free versions are Kerio and ZoneAlarm.
  • Anti-Virus (a must!) - It is also a must have. Two good programs are Avast and AVG, they're both free.
    Note: You must only use 1 (one) AV because if you have 2 AVs, it will conflict with each other and will only make your system slow.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Jag11
Retired Graduate
 
Posts: 1096
Joined: November 27th, 2005, 5:40 am
Location: 127.0.0.1
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware