Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I've got tons of Trojans

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I've got tons of Trojans

Unread postby RaoulDuke » January 22nd, 2011, 3:09 pm

Here it is, my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20.02.51, on 22/01/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\NetworkService\Dati applicazioni\h3elkwkrrqx1ckhyffzgdlrcokfmfmz2\csrss.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Internet Explorer\conhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programmi\Prevx\prevx.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Prevx\prevx.exe
C:\Documents and Settings\Carlo\Dati applicazioni\dwm.exe
C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Prevx\prevx.exe
C:\Programmi\File comuni\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Carlo\IMPOST~1\Temp\Sqr.exe
C:\WINDOWS\TEMP\rimr\setup.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home?AF=14542
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52020
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll
R3 - URLSearchHook: Babylon-English Toolbar - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Documents and Settings\NetworkService\Dati applicazioni\h3elkwkrrqx1ckhyffzgdlrcokfmfmz2\csrss.exe"
F3 - REG:win.ini: load=C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Programmi\ConduitEngine\ConduitEngine.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: Babylon-English Toolbar - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll
O3 - Toolbar: Babylon-English Toolbar - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defense] C:\Documents and Settings\Carlo\Dati applicazioni\0DMxsGfsG.exe
O4 - HKLM\..\Run: [conhost] C:\Documents and Settings\Carlo\Dati applicazioni\Microsoft\conhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Carlo\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [20W6RLKX65] C:\DOCUME~1\Carlo\IMPOST~1\Temp\Sqz.exe
O4 - HKCU\..\Run: [3FWHZQA3LT] C:\DOCUME~1\Carlo\IMPOST~1\Temp\Sq3.exe
O4 - HKCU\..\Run: [DAT39.tmp.exe] "C:\DOCUME~1\Carlo\IMPOST~1\Temp\DAT39.tmp.exe" /run
O4 - HKCU\..\Run: [mssend] "C:\Documents and Settings\Carlo\Dati applicazioni\xssend2\svcnost.exe"
O4 - HKCU\..\Run: [Windows Defense] C:\Documents and Settings\Carlo\Dati applicazioni\0DMxsGfsG.exe
O4 - HKCU\..\Run: [CE8SIIFGSU] C:\DOCUME~1\Carlo\IMPOST~1\Temp\Sqr.exe
O4 - HKCU\..\Run: [TJHTHX1O7X] C:\WINDOWS\Ssinia.exe
O4 - HKCU\..\Run: [{7DD02E64-6DD8-9202-2B83-0D36C704B6F3}] "C:\Documents and Settings\Carlo\Dati applicazioni\Wyecu\womi.exe"
O4 - HKCU\..\Run: [{DF366355-A3B0-0170-31D6-94CEEA1FD19C}] "C:\Documents and Settings\Carlo\Dati applicazioni\Qeezop\zaado.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Carlo\Dati applicazioni\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/
O17 - HKLM\System\CCS\Services\Tcpip\..\{D13B7190-19AD-4FF9-8B85-16ED3825F504}: NameServer = 192.168.2.1
O20 - Winlogon Notify: krambst - krambst.dll (file missing)
O20 - Winlogon Notify: mputreg - mputreg.dll (file missing)
O20 - Winlogon Notify: reset5c - reset5c.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AMService - Unknown owner - C:\WINDOWS\TEMP\rimr\setup.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Programmi\Prevx\prevx.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Programmi\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe

--
End of file - 11326 bytes



I've got a lot of malware (Especially Trojans) in my pc.
My Avira Antivirus keeps detecting 'em but it can't remove them from my system.
I need help to fix it.
Thanks
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm
Advertisement
Register to Remove

Re: I've got tons of Trojans

Unread postby deltalima » January 24th, 2011, 2:09 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: I've got tons of Trojans

Unread postby deltalima » January 24th, 2011, 2:21 pm

Hi RaoulDuke,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your malware issue.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Uninstall List
  • Open HijackThis.
  • Click on Open the Misc tools section.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 25th, 2011, 10:23 am

here it is:

µTorrent
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
ASRock IES
ASRock InstantBoot
Assistente per l'accesso a Windows Live
AVI ReComp 1.5.1
Avidemux 2.5
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
Babylon
Babylon-English Toolbar
Bonjour
BS.Player FREE
Commandos 2: Men of Courage
Cool Edit Pro 2.1
DivX Plus Web Player
DivXLand Media Subtitler
Drumaxx
DVDVideoSoftTB Toolbar
eMule
FL Studio 9
Free Audio CD Burner version 1.4.7
Free YouTube to MP3 Converter version 3.9.30
Hardcore
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Windows XP (KB926239)
IL Download Manager
ImgBurn
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 18
Junk Mail filter update
K-Lite Codec Pack 2.41 Full
Magnaccio Manager
McAfee Security Scan Plus
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Excel Viewer
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
miniSAN 1.0.0 (build 2007-06-14)
Mozilla Firefox (3.6.13)
MSVCRT
MSXML 6.0 Parser (KB925673)
MusicDownloader 1.0
Nero 6 Ultra Edition
Nero Recode CE
Nimo Codecs Pack v5.0 (Remove Only)
Pack Vista Inspirat 2 1.0
Photo! Editor 1.1
PoiZone
PokerStars.it
PowerDVD
Python 2.6.5
QuickTime
QuickTime Alternative 1.76
Raccolta foto di Windows Live
Real Alternative 1.51
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Safari
Sakura
Sawer
Segoe UI
SoulSeek 157 NS 13e
spydig
Strumento di caricamento di Windows Live
Sygate Personal Firewall Pro
Toxic Biohazard
TuneUp Companion 1.9.0
Uninstall 1.0.0.1
VC80CRTRedist - 8.0.50727.4053
VDownloader 1.0
VLC media player 1.0.5
VobSub 2.23
Windows Communication Foundation
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR gestione archivi

(some program names, like the last one, are in Italian, that's because I am Italian. If u don't understand what a program is, feel free to ask me a translation!)

thanks for the help!

P.S.:
I have to aware you that the situation is gettin worse
trojans just installed that fake program "Windows scan", the one that gives fake advices about critical errors and stuff like this. And I don't know how to remove it.
I tried with a few of anti-spy programs (spybot, etc.) but it's still here.
Not to mention that the previous trojans are still in here too.
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm

Re: I've got tons of Trojans

Unread postby deltalima » January 25th, 2011, 10:31 am

Hi RaoulDuke,

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent
    eMule


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 25th, 2011, 4:18 pm

RKILL LOG:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 25/01/2011 at 18.53.24.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Carlo\Dati applicazioni\dwm.exe
C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe
C:\Documents and Settings\Carlo\Dati applicazioni\Microsoft\conhost.exe
C:\Documents and Settings\All Users\Dati applicazioni\cUMFnOImmwEhX.exe
C:\Documents and Settings\All Users\Dati applicazioni\4drvyAgR.exe


Rkill completed on 25/01/2011 at 18.53.34.
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 25th, 2011, 4:19 pm

OTL LOG:


OTL logfile created on: 25/01/2011 19.00.09 - Run 1
OTL by OldTimer - Version 3.2.20.5 Folder = C:\Documents and Settings\Carlo\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000410 | Country: Italia | Language: ITA | Date Format: dd/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 86,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmi
Drive C: | 114,49 Gb Total Space | 26,71 Gb Free Space | 23,33% Space Free | Partition Type: NTFS
Drive D: | 189,92 Gb Total Space | 0,57 Gb Free Space | 0,30% Space Free | Partition Type: NTFS

Computer Name: E5300 | User Name: Carlo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Carlo\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Carlo\Dati applicazioni\xvcpuvjsftejqkl3orwl23pgnqdxobdi2\svcnost.exe (Foxit Corporation)
PRC - C:\Documents and Settings\Carlo\Dati applicazioni\dwm.exe ()
PRC - C:\Documents and Settings\Carlo\Impostazioni locali\Temp\csrss.exe ()
PRC - C:\Documents and Settings\All Users\Dati applicazioni\kEyCDTWDyyH.exe ()
PRC - C:\Documents and Settings\All Users\Dati applicazioni\cUMFnOImmwEhX.exe ()
PRC - C:\Documents and Settings\Carlo\Dati applicazioni\Microsoft\conhost.exe ()
PRC - C:\Programmi\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Programmi\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Programmi\File comuni\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Programmi\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programmi\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programmi\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
PRC - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe ()
PRC - C:\WINDOWS\system32\WgaTray.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programmi\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Carlo\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll ()
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\SSSensor.dll (Sygate Technologies, Inc.)


========== Win32 Services (SafeList) ==========

SRV - (AMService) -- File not found
SRV - (Apple Mobile Device) -- C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (fsssvc) -- C:\Programmi\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (McComponentHostService) -- C:\Programmi\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (AntiVirService) -- C:\Programmi\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Programmi\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (SeaPort) -- C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
SRV - (SmcService) -- C:\Programmi\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Driver Services (SafeList) ==========

DRV - (cat2b6d) -- C:\WINDOWS\System32\drivers\cat2b6d.sys ()
DRV - (ndisrd) -- C:\WINDOWS\system32\drivers\ndisrd.sys (NT Kernel Resources)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (RkHit) -- C:\WINDOWS\system32\drivers\RKHit.sys ()
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Programmi\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (miniEther) -- C:\WINDOWS\system32\drivers\miniEther.sys (LayerWalker Technology, Inc.)
DRV - (miniSAN) -- C:\WINDOWS\system32\drivers\miniSAN.sys (LayerWalker Technology, Inc.)
DRV - (Navcar) -- C:\WINDOWS\system32\drivers\Navcar.sys (NAVMAN)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (wg6n) -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys (Sygate Technologies, Inc.)
DRV - (wg5n) -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys (Sygate Technologies, Inc.)
DRV - (wg4n) -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys (Sygate Technologies, Inc.)
DRV - (wg3n) -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys (Sygate Technologies, Inc.)
DRV - (wpsdrvnt) -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Sygate Technologies, Inc.)
DRV - (Teefer) -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys (Sygate Technologies, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.it/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\AV, = http://www.altavista.com/sites/search/web?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\FM, = http://www.filemirrors.com/search.src?file=%s
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\GGL, = http://www.google.com/search?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\MSKB, = http://support.microsoft.com/?kbid=%s
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\MSN, = http://search.msn.com/results.asp?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63636

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\AV, = http://www.altavista.com/sites/search/web?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\FM, = http://www.filemirrors.com/search.src?file=%s
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\GGL, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\MSKB, = http://support.microsoft.com/?kbid=%s
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\MSN, = http://search.msn.com/results.asp?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63636

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\AV, = http://www.altavista.com/sites/search/web?q=%s
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\FM, = http://www.filemirrors.com/search.src?file=%s
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\GGL, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\MSKB, = http://support.microsoft.com/?kbid=%s
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\MSN, = http://search.msn.com/results.asp?q=%s
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\AV, = http://www.altavista.com/sites/search/web?q=%s
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\FM, = http://www.filemirrors.com/search.src?file=%s
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\GGL, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\MSKB, = http://support.microsoft.com/?kbid=%s
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\MSN, = http://search.msn.com/results.asp?q=%s
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home?AF=14542
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL\AV, = http://www.altavista.com/sites/search/web?q=%s
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL\FM, = http://www.filemirrors.com/search.src?file=%s
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL\GGL, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL\MSKB, = http://support.microsoft.com/?kbid=%s
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL\MSN, = http://search.msn.com/results.asp?q=%s
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\..\URLSearchHook: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\..\URLSearchHook: {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-484763869-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56667

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Search"
FF - prefs.js..browser.startup.homepage: "www.google.it"
FF - prefs.js..extensions.enabledItems: {ce18769b-c7fa-42d2-860d-17c4662c70ad}:2.7.2.0
FF - prefs.js..extensions.enabledItems: {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}:3.1.0625
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.2
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.1
FF - prefs.js..extensions.enabledItems: {872b5b88-9db5-4310-bdd0-ac189557e5f5}:2.7.2.0
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.11
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.0.11
FF - prefs.js..extensions.enabledItems: {d9284e50-81fc-11da-a72b-0800200c9a66}:7.4.1
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Programmi\Mozilla Firefox\components [2010/12/19 14.23.40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Programmi\Mozilla Firefox\plugins [2010/12/19 14.23.37 | 000,000,000 | ---D | M]

[2010/02/25 04.53.26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Extensions
[2011/01/25 15.09.48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions
[2010/11/17 14.05.25 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2011/01/17 18.43.26 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/10/30 20.28.01 | 000,000,000 | ---D | M] (Stylish) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
[2010/10/11 01.10.42 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/10/30 20.27.47 | 000,000,000 | ---D | M] (DVDVideoSoftTB Toolbar) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
[2010/10/30 20.27.48 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/08/27 21.50.44 | 000,000,000 | ---D | M] (Babylon-English Toolbar) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{ce18769b-c7fa-42d2-860d-17c4662c70ad}
[2010/06/29 06.11.02 | 000,000,000 | ---D | M] ("CoolPreviews") -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
[2010/10/30 20.28.09 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/10/30 20.28.07 | 000,000,000 | ---D | M] (Yoono) -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}
[2010/07/31 13.05.33 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\Carlo\Dati applicazioni\Mozilla\Firefox\Profiles\foi1ahr1.default\searchplugins\conduit.xml
[2010/12/19 14.23.38 | 000,000,000 | ---D | M] (No name found) -- C:\Programmi\Mozilla Firefox\extensions
[2010/02/21 16.27.29 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAMMI\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/08/27 21.50.39 | 000,002,226 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\babylon.xml
[2010/12/03 20.00.54 | 000,000,744 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\eBay-it.xml
[2010/12/03 20.00.54 | 000,000,825 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\hoepli.xml
[2010/12/03 20.00.54 | 000,001,182 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\wikipedia-it.xml
[2010/12/03 20.00.54 | 000,000,953 | ---- | M] () -- C:\Programmi\Mozilla Firefox\searchplugins\yahoo-it.xml

O1 HOSTS File: ([2011/01/15 16.09.42 | 000,001,037 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.8minutedating.com
O1 - Hosts: 127.0.0.1 whysohardx.com
O1 - Hosts: 127.0.0.1 protectyourpc-11.com
O1 - Hosts: 127.0.0.1 checkserverstatux.com
O1 - Hosts: 127.0.0.1 xinmin.cn
O1 - Hosts: 127.0.0.1 xy95.cn
O1 - Hosts: 127.0.0.1 koralda.com
O1 - Hosts: 127.0.0.1 weirden.com
O1 - Hosts: 127.0.0.1 nanocloudcontroller.com
O1 - Hosts: 127.0.0.1 coo0lnet.net
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Programmi\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (DVDVideoSoftTB Toolbar) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll (Conduit Ltd.)
O2 - BHO: (Guida per l'accesso a Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Babylon IE plugin) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O2 - BHO: (Babylon-English Toolbar) - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll (Conduit Ltd.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (DVDVideoSoftTB Toolbar) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Babylon-English Toolbar) - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-484763869-1123561945-725345543-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-484763869-1123561945-725345543-1003\..\Toolbar\WebBrowser: (DVDVideoSoftTB Toolbar) - {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-484763869-1123561945-725345543-1003\..\Toolbar\WebBrowser: (Babylon-English Toolbar) - {CE18769B-C7FA-42D2-860D-17C4662C70AD} - C:\Programmi\Babylon-English\tbBab2.dll (Conduit Ltd.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Programmi\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [conhost] C:\Documents and Settings\Carlo\Dati applicazioni\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Programmi\QuickTime Alternative\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SmcService] C:\Programmi\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programmi\File comuni\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defense] File not found
O4 - HKU\.DEFAULT..\Run: [mssend] File not found
O4 - HKU\S-1-5-18..\Run: [mssend] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [{56087C01-33D0-4EAA-56A6-381F705A4D8F}] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [{7DD02E64-6DD8-9202-2B83-0D36C704B6F3}] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [{DF366355-A3B0-0170-31D6-94CEEA1FD19C}] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [20W6RLKX65] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [3FWHZQA3LT] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [4drvyAgR] C:\Documents and Settings\All Users\Dati applicazioni\4drvyAgR.exe ()
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [CE8SIIFGSU] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [cUMFnOImmwEhX.exe] C:\Documents and Settings\All Users\Dati applicazioni\cUMFnOImmwEhX.exe ()
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [DAT39.tmp.exe] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [kEyCDTWDyyH] C:\Documents and Settings\All Users\Dati applicazioni\kEyCDTWDyyH.exe ()
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [mssend] C:\Documents and Settings\Carlo\Dati applicazioni\xvcpuvjsftejqkl3orwl23pgnqdxobdi2\svcnost.exe (Foxit Corporation)
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [TJHTHX1O7X] File not found
O4 - HKU\S-1-5-21-484763869-1123561945-725345543-1003..\Run: [Windows Defense] File not found
O4 - Startup: C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\McAfee Security Scan Plus.lnk = C:\Programmi\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\Carlo\Menu Avvio\Programmi\Esecuzione automatica\RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe ()
F3 - HKU\.DEFAULT WinNT: Load - (C:\WINDOWS\TEMP\csrss.exe) - File not found
F3 - HKU\S-1-5-18 WinNT: Load - (C:\WINDOWS\TEMP\csrss.exe) - File not found
F3 - HKU\S-1-5-21-484763869-1123561945-725345543-1003 WinNT: Load - (C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe) - C:\Documents and Settings\Carlo\Impostazioni locali\Temp\csrss.exe ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-1123561945-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Carlo\Dati applicazioni\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Translate this web page with Babylon - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O8 - Extra context menu item: Translate with Babylon - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra Button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra 'Tools' menuitem : Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programmi\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - ("C:\Documents and Settings\NetworkService\Dati applicazioni\h3elkwkrrqx1ckhyffzgdlrcokfmfmz2\csrss.exe") - C:\Documents and Settings\NetworkService\Dati applicazioni\h3elkwkrrqx1ckhyffzgdlrcokfmfmz2\csrss.exe (Foxit Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Programmi\Windows NT\dwm.exe) - C:\Programmi\Windows NT\dwm.exe ()
O20 - HKU\S-1-5-18 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Programmi\Windows NT\dwm.exe) - C:\Programmi\Windows NT\dwm.exe ()
O20 - HKU\S-1-5-21-484763869-1123561945-725345543-1003 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-484763869-1123561945-725345543-1003 Winlogon: Shell - (C:\Documents and Settings\Carlo\Dati applicazioni\dwm.exe) - C:\Documents and Settings\Carlo\Dati applicazioni\dwm.exe ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\krambst: DllName - krambst.dll - File not found
O20 - Winlogon\Notify\mputreg: DllName - mputreg.dll - File not found
O20 - Winlogon\Notify\reset5c: DllName - reset5c.dll - C:\WINDOWS\System32\reset5c.dll ()
O24 - Desktop Components:0 (Pagina iniziale corrente) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Carlo\Impostazioni locali\Dati applicazioni\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Carlo\Impostazioni locali\Dati applicazioni\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/17 17.58.22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/03/23 19.51.33 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9eb7b453-ea22-11df-90ef-0025220e167c}\Shell - "" = AutoRun
O33 - MountPoints2\{9eb7b453-ea22-11df-90ef-0025220e167c}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/25 18.59.11 | 000,603,136 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Carlo\Desktop\OTL.exe
[2011/01/25 18.53.43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\xvcpuvjsftejqkl3orwl23pgnqdxobdi2
[2011/01/25 00.04.56 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Carlo\Desktop\ATF-Cleaner.exe
[2011/01/25 00.03.04 | 000,684,440 | ---- | C] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\Carlo\Desktop\SpyHunter-Installer.exe
[2011/01/24 23.50.33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Menu Avvio\Programmi\Windows Scan
[2011/01/22 15.50.01 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/01/22 15.38.47 | 000,000,000 | ---D | C] -- C:\Microsoft
[2011/01/21 20.30.11 | 000,000,000 | ---D | C] -- C:\Programmi\Trend Micro
[2011/01/21 20.30.11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Menu Avvio\Programmi\HiJackThis
[2011/01/20 20.04.26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\Wyecu
[2011/01/20 20.04.26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\Pyuw
[2011/01/20 15.34.17 | 000,000,000 | ---D | C] -- C:\Programmi\Prevx
[2011/01/20 15.33.42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dati applicazioni\PrevxCSI
[2011/01/20 15.02.03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Desktop\SpybotSD_Portable_1.6.3.50_MultiLang
[2011/01/20 03.02.21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
[2011/01/20 02.38.47 | 000,000,000 | ---D | C] -- C:\Programmi\TeaTimer (Spybot - Search & Destroy)
[2011/01/20 02.38.47 | 000,000,000 | ---D | C] -- C:\Programmi\SDHelper (Spybot - Search & Destroy)
[2011/01/20 02.38.47 | 000,000,000 | ---D | C] -- C:\Programmi\Misc. Support Library (Spybot - Search & Destroy)
[2011/01/20 02.38.47 | 000,000,000 | ---D | C] -- C:\Programmi\File Scanner Library (Spybot - Search & Destroy)
[2011/01/19 13.51.49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Avvio\Programmi\SpyDig
[2011/01/19 13.51.35 | 000,000,000 | ---D | C] -- C:\Programmi\SpyDig
[2011/01/19 13.46.42 | 031,224,234 | ---- | C] (spydig.com, Inc. ) -- C:\Documents and Settings\Carlo\Desktop\Spydig_Setup.exe
[2011/01/19 01.56.19 | 000,020,480 | ---- | C] (NT Kernel Resources) -- C:\WINDOWS\System32\drivers\ndisrd.sys
[2011/01/18 14.19.18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\xssend2
[2011/01/18 01.45.03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Dati applicazioni\xssend2
[2011/01/18 01.44.59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Dati applicazioni\h3elkwkrrqx1ckhyffzgdlrcokfmfmz2
[2011/01/16 19.03.46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\Icfut
[2011/01/16 17.47.33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Dati applicazioni\Sun
[2011/01/14 20.28.06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\DVDVideoSoftTB
[2011/01/14 20.28.06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Babylon-English
[2011/01/14 20.28.03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Apple
[2011/01/14 13.51.02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Dati applicazioni\Sun
[2011/01/14 00.58.38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\ImgBurn
[2011/01/14 00.15.12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Avvio\Programmi\ImgBurn
[2011/01/14 00.15.11 | 000,000,000 | ---D | C] -- C:\Programmi\ImgBurn
[2011/01/02 01.24.31 | 000,000,000 | ---D | C] -- C:\Programmi\Commandos II
[2011/01/02 01.24.31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Avvio\Programmi\Commandos II
[2011/01/02 00.40.43 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\CyberInstallerUninstallerSystem
[2011/01/02 00.40.37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Avvio\Programmi\Magnaccio Manager
[2011/01/02 00.40.27 | 000,000,000 | ---D | C] -- C:\Programmi\Magnaccio Manager
[2011/01/02 00.40.12 | 000,198,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MCI32.OCX
[2011/01/01 22.42.12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Documenti\Max Payne Savegames
[2011/01/01 21.05.19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\ScummVM
[2011/01/01 20.23.18 | 000,000,000 | ---D | C] -- C:\Programmi\GameSpy Arcade
[2010/12/31 17.40.20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\SynthMaker
[2010/12/31 14.54.43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Desktop\da aggiungere alle varie
[2010/12/27 17.10.22 | 000,000,000 | ---D | C] -- C:\Programmi\ASIO4ALL v2
[2010/12/27 17.10.22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Menu Avvio\Programmi\ASIO4ALL v2
[2010/12/27 16.51.34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Avvio\Programmi\TuneUp Companion
[2010/12/27 16.51.03 | 000,000,000 | ---D | C] -- C:\Programmi\TuneUpMedia
[2010/12/27 16.50.58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\TuneUpMedia
[2010/12/27 16.50.52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dati applicazioni\TuneUpMedia
[2010/12/27 16.50.01 | 000,225,280 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\rewire.dll
[2010/12/27 16.49.59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Impostazioni locali\Dati applicazioni\OpenCandy
[2010/12/27 16.49.58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Dati applicazioni\OpenCandy
[2010/12/27 16.49.50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Documenti\Image-Line
[2010/12/27 16.48.55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carlo\Menu Avvio\Programmi\Image-Line
[2010/12/27 16.48.54 | 000,000,000 | ---D | C] -- C:\Programmi\VstPlugins
[2010/12/27 16.48.49 | 000,000,000 | ---D | C] -- C:\Programmi\Outsim
[2010/12/27 16.44.56 | 000,000,000 | ---D | C] -- C:\Programmi\Image-Line
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/25 18.59.16 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\f759oi97.exe
[2011/01/25 18.59.10 | 000,603,136 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carlo\Desktop\OTL.exe
[2011/01/25 18.59.00 | 000,001,240 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1123561945-725345543-1003UA.job
[2011/01/25 18.58.58 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\~kEyCDTWDyyH
[2011/01/25 18.58.58 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\~kEyCDTWDyyHr
[2011/01/25 18.57.29 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\kEyCDTWDyyH
[2011/01/25 18.57.28 | 000,426,496 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\ddFCbyTMrPiox.dll
[2011/01/25 18.57.23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/25 18.57.22 | 2137,313,280 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/25 18.49.11 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\~4drvyAgR
[2011/01/25 18.49.11 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\~4drvyAgRr
[2011/01/25 15.16.57 | 000,002,425 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\HiJackThis.lnk
[2011/01/25 13.55.12 | 000,177,664 | ---- | M] () -- C:\Documents and Settings\Carlo\Dati applicazioni\dwm.exe
[2011/01/25 13.54.52 | 000,015,560 | ---- | M] () -- C:\Documents and Settings\Carlo\Dati applicazioni\048E.D16
[2011/01/25 13.53.56 | 000,380,928 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\kEyCDTWDyyH.exe
[2011/01/25 00.38.34 | 000,000,245 | -HS- | M] () -- C:\boot.ini
[2011/01/25 00.06.00 | 000,719,873 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\rkill.com
[2011/01/25 00.04.54 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Carlo\Desktop\ATF-Cleaner.exe
[2011/01/25 00.03.01 | 000,684,440 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\Carlo\Desktop\SpyHunter-Installer.exe
[2011/01/24 23.50.34 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\Windows Scan.lnk
[2011/01/24 23.50.31 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\4drvyAgR
[2011/01/24 23.22.33 | 000,380,928 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\4drvyAgR.exe
[2011/01/24 23.22.30 | 000,463,872 | ---- | M] () -- C:\Documents and Settings\All Users\Dati applicazioni\cUMFnOImmwEhX.exe
[2011/01/24 03.06.26 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/23 16.41.48 | 005,204,096 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\Big L 98 Freestyle.mp3
[2011/01/23 01.59.00 | 000,001,188 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1123561945-725345543-1003Core.job
[2011/01/22 19.24.09 | 000,114,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/01/22 16.44.01 | 000,076,192 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\casa_bianca.jpg
[2011/01/21 20.29.58 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\HiJackThis.msi
[2011/01/21 20.28.01 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/20 15.51.20 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2011/01/20 02.59.57 | 000,000,095 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/01/20 02.32.36 | 000,000,636 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\spydig.lnk
[2011/01/19 18.10.21 | 000,358,470 | -H-- | M] () -- C:\Documents and Settings\Carlo\Dati applicazioni\rel.exe
[2011/01/19 13.52.24 | 000,000,022 | ---- | M] () -- C:\WINDOWS\tpcsd
[2011/01/19 13.48.25 | 031,224,234 | ---- | M] (spydig.com, Inc. ) -- C:\Documents and Settings\Carlo\Desktop\Spydig_Setup.exe
[2011/01/19 13.27.46 | 000,138,272 | ---- | M] () -- C:\WINDOWS\System32\drivers\cat2b6d.sys
[2011/01/19 04.35.14 | 077,480,579 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\TCF.rar
[2011/01/19 02.37.04 | 000,056,832 | ---- | M] () -- C:\Documents and Settings\Carlo\Impostazioni locali\Dati applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/19 01.56.19 | 000,020,480 | ---- | M] (NT Kernel Resources) -- C:\WINDOWS\System32\drivers\ndisrd.sys
[2011/01/18 14.44.39 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2011/01/17 23.57.44 | 000,000,008 | ---- | M] () -- C:\Documents and Settings\Carlo\Dati applicazioni\mdjaw.dat
[2011/01/15 14.31.05 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Carlo\regsvr32
[2011/01/15 14.11.57 | 000,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/12/27 18.55.18 | 000,009,927 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\Da Bullshit (2.1.1).mp3
[2010/12/27 17.24.41 | 000,098,743 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\Da Bullshit (2.1).mp3
[2010/12/27 16.50.01 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Carlo\Desktop\FL Studio 9.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/25 18.59.18 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\f759oi97.exe
[2011/01/25 18.58.58 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\~kEyCDTWDyyH
[2011/01/25 18.58.58 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\~kEyCDTWDyyHr
[2011/01/25 18.57.29 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\kEyCDTWDyyH
[2011/01/25 13.54.26 | 000,177,664 | ---- | C] () -- C:\Documents and Settings\Carlo\Dati applicazioni\dwm.exe
[2011/01/25 13.53.55 | 000,380,928 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\kEyCDTWDyyH.exe
[2011/01/25 03.27.04 | 2137,313,280 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/25 00.06.00 | 000,719,873 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\rkill.com
[2011/01/24 23.57.45 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\~4drvyAgR
[2011/01/24 23.57.45 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\~4drvyAgRr
[2011/01/24 23.50.34 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\Windows Scan.lnk
[2011/01/24 23.50.31 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\4drvyAgR
[2011/01/24 23.22.33 | 000,380,928 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\4drvyAgR.exe
[2011/01/24 23.22.31 | 000,426,496 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\ddFCbyTMrPiox.dll
[2011/01/24 23.22.30 | 000,463,872 | ---- | C] () -- C:\Documents and Settings\All Users\Dati applicazioni\cUMFnOImmwEhX.exe
[2011/01/23 16.41.38 | 005,204,096 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\Big L 98 Freestyle.mp3
[2011/01/22 19.24.47 | 000,015,560 | ---- | C] () -- C:\Documents and Settings\Carlo\Dati applicazioni\048E.D16
[2011/01/22 16.42.07 | 000,076,192 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\casa_bianca.jpg
[2011/01/21 20.30.11 | 000,002,425 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\HiJackThis.lnk
[2011/01/21 20.29.59 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\HiJackThis.msi
[2011/01/20 15.51.05 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2011/01/20 02.59.57 | 000,000,095 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/01/19 18.10.19 | 000,358,470 | -H-- | C] () -- C:\Documents and Settings\Carlo\Dati applicazioni\rel.exe
[2011/01/19 13.52.24 | 000,000,022 | ---- | C] () -- C:\WINDOWS\tpcsd
[2011/01/19 13.51.51 | 000,000,636 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\spydig.lnk
[2011/01/19 13.51.39 | 000,029,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\RKHit.sys
[2011/01/19 13.27.46 | 000,138,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\cat2b6d.sys
[2011/01/19 04.30.04 | 077,480,579 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\TCF.rar
[2011/01/18 20.52.53 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Carlo\Dati applicazioni\A07LcmnL0l.txt
[2011/01/17 23.57.35 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Carlo\Dati applicazioni\mdjaw.dat
[2011/01/16 17.52.52 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\reset5c.dll
[2011/01/15 14.30.14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Carlo\regsvr32
[2010/12/27 18.53.30 | 000,009,927 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\Da Bullshit (2.1.1).mp3
[2010/12/27 17.24.40 | 000,098,743 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\Da Bullshit (2.1).mp3
[2010/12/27 16.50.01 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Carlo\Desktop\FL Studio 9.lnk
[2010/09/05 18.28.20 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2010/09/05 18.28.20 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll
[2010/09/05 18.28.19 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/09/05 18.28.19 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/09/05 18.28.18 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2010/06/02 15.19.49 | 000,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/02 14.26.20 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/02/25 13.05.16 | 000,056,832 | ---- | C] () -- C:\Documents and Settings\Carlo\Impostazioni locali\Dati applicazioni\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/17 19.47.31 | 000,064,968 | ---- | C] () -- C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
[2010/02/17 18.51.04 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/02/17 18.26.21 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4990.dll
[2004/08/10 20.39.04 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll
[2004/07/17 13.36.38 | 000,028,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2002/05/04 14.19.00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\avisynthEx.dll
[2002/04/21 19.30.14 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/04/19 15.23.26 | 000,106,137 | ---- | C] () -- C:\WINDOWS\System32\libpostproc.dll
[2002/04/19 14.51.04 | 000,211,760 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2002/04/01 23.16.30 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll
[2002/04/01 23.16.14 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/04/01 23.15.40 | 000,011,264 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2002/02/21 17.41.20 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2001/06/22 12.06.02 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\MPEG2DEC.dll

< End of report >
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm

Re: I've got tons of Trojans

Unread postby deltalima » January 25th, 2011, 4:36 pm

Please post the GMER log when ready.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 25th, 2011, 4:55 pm

GMER LOG:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-25 19:15:43
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y120L0 rev.YAR41BW0
Running: f759oi97.exe; Driver: C:\DOCUME~1\Carlo\IMPOST~1\Temp\fxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xA48F0B30]
SSDT 9B1977FE ZwCreateKey
SSDT 9B1977F4 ZwCreateThread
SSDT 9B197803 ZwDeleteKey
SSDT 9B19780D ZwDeleteValueKey
SSDT 9B197812 ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xA48F0470]
SSDT 9B1977E0 ZwOpenProcess
SSDT 9B1977E5 ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xA48F0C50]
SSDT 9B19781C ZwReplaceKey
SSDT 9B197817 ZwRestoreKey
SSDT 9B197808 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xA48F0990]
SSDT 9B1977EF ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xA48F0D60]

---- Kernel code sections - GMER 1.0.15 ----

.text tcpip.sys!IPTransmit + 10BC A12BBCFA 6 Bytes CALL F740FCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2810 A12BD44E 6 Bytes CALL F740FCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!ARPRcv + 506D A12C24E0 6 Bytes CALL F740FCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys A1C453FD 7 Bytes CALL F740FE30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!NtCreateFile 7C91D682 5 Bytes JMP 10002150 C:\Documents and Settings\All Users\Dati applicazioni\ddFCbyTMrPiox.dll
.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!NtOpenFile 7C91DCFD 5 Bytes JMP 100023A0 C:\Documents and Settings\All Users\Dati applicazioni\ddFCbyTMrPiox.dll
.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!NtProtectVirtualMemory 7C91DEB6 5 Bytes JMP 00D3000A
.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!KiUserExceptionDispatcher 7C91EAEC 5 Bytes JMP 00D2000C
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtProtectVirtualMemory 7C91DEB6 5 Bytes JMP 00AB000A
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 00AC000A
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!KiUserExceptionDispatcher 7C91EAEC 5 Bytes JMP 00AA000C
.text C:\WINDOWS\System32\svchost.exe[1556] ole32.dll!CoCreateInstance 774CFAC3 5 Bytes JMP 00B6000A
? C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe[1608] number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dllunknown module: RASAPI32.dll
.crt C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe[1608] C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe unknown last section [0x0042D000, 0x35000, 0x40000040]
.text C:\WINDOWS\system32\WgaTray.exe[2116] WININET.dll!InternetErrorDlg 7723AE53 5 Bytes JMP 0101211B C:\WINDOWS\system32\WgaTray.exe (Windows Genuine Advantage Notification/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7410AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7410A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7410760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7410760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7410A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7410AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7410760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7410A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7410AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7410760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7410AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7410A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7410970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7410AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7410A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7410760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7410760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7410A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7410AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7410760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7410AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7410A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89B2B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89B2B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89B2B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89B2B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 89B2B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-17 89B2B39B
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskMaxtor_6Y120L0__________________________YAR41BW0#335956334d33454b202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Threads - GMER 1.0.15 ----

Thread System [4:944] A1193470

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 25th, 2011, 4:57 pm

but I don't manage to post otl extra log
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm

Re: I've got tons of Trojans

Unread postby deltalima » January 25th, 2011, 5:05 pm

Hi RaoulDuke,

Run RKill

Malwarebytes Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 27th, 2011, 9:16 pm

i'm not writing from my pc because it can't connect on the internet. it says that there's a proxy broblem, don't know how to solve it.
i got the mbam log in it. it said that it removed the malware, but now if i start my pc with the normal mode, i can't see the desktop.
it starts only in temporary mode.
what do you suggest? it's time to reinstall windows?
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm

Re: I've got tons of Trojans

Unread postby deltalima » January 28th, 2011, 5:24 am

Hi RaoulDuke,

i got the mbam log in it. it said that it removed the malware, but now if i start my pc with the normal mode, i can't see the desktop.
it starts only in temporary mode.


I need to see the log of what MBAM removed.

Please use a USB memory stick to copy the log from the infected computer.

Retrieve Malwarebytes Anti-Malware (MBAM) Log(s)
There is a need to see a scan log from a previous run of MBAM, please do the following:
  1. Start MBAM... click the Logs tab at the top.
    The log will be named by the date & time of scan in the following format: mbam-log-yyyy-mm-dd (time).txt
    If you have had multiple runs of MBAM, there may be several logs showing in the list.
  2. Click on the last (most recent) log name to highlight it... then click the Open button, at bottom left. The log should open in Notepad as a text file.
  3. Please copy and paste the entire mbam-log-yyyy-mm-dd (time).txt file in your next reply.
    Be sure to post the complete log... including the top portion showing MBAM's database version and your operating system.
  4. Exit MBAM when done.
Note: MBAM logs are saved to the following locations:
XP - ?:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Also please run a news scan with HijackThis and post the log.

what do you suggest? it's time to reinstall windows?


Possibly, let's see the logs first to see what is going on.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 28th, 2011, 3:55 pm

ok, i'll try to do what u said
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm

Re: I've got tons of Trojans

Unread postby RaoulDuke » January 28th, 2011, 4:07 pm

here they are (they're both made in temporary mode)


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21.04.52, on 28/01/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home?AF=14542
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56667
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll
R3 - URLSearchHook: Babylon-English Toolbar - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Programmi\ConduitEngine\ConduitEngine.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: Babylon-English Toolbar - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programmi\DVDVideoSoftTB\tbDVD2.dll
O3 - Toolbar: Babylon-English Toolbar - {ce18769b-c7fa-42d2-860d-17c4662c70ad} - C:\Programmi\Babylon-English\tbBab2.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defense] C:\Documents and Settings\Carlo\Dati applicazioni\0DMxsGfsG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Carlo\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Defense] C:\Documents and Settings\Carlo\Dati applicazioni\0DMxsGfsG.exe
O4 - HKCU\..\Run: [cUMFnOImmwEhX.exe] C:\Documents and Settings\All Users\Dati applicazioni\cUMFnOImmwEhX.exe
O4 - HKCU\..\Run: [4drvyAgR] C:\Documents and Settings\All Users\Dati applicazioni\4drvyAgR.exe
O4 - HKCU\..\Run: [kEyCDTWDyyH] C:\Documents and Settings\All Users\Dati applicazioni\kEyCDTWDyyH.exe
O4 - HKCU\..\Run: [Treetab] C:\Documents and Settings\Carlo\Dati applicazioni\Newtab\wmireal.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Carlo\Dati applicazioni\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/
O17 - HKLM\System\CCS\Services\Tcpip\..\{D13B7190-19AD-4FF9-8B85-16ED3825F504}: NameServer = 192.168.2.1
O20 - Winlogon Notify: krambst - krambst.dll (file missing)
O20 - Winlogon Notify: mputreg - mputreg.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AMService - Unknown owner - C:\WINDOWS\TEMP\rimr\setup.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Programmi\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe

--
End of file - 9034 bytes




-------------------------------------------------------------------------------------------

MBAM LOG:

Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Versione database: 5610

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.11

26/01/2011 18.40.54
mbam-log-2011-01-26 (18-40-54).txt

Tipo di scansione: Scansione veloce
Elementi esaminati: 146698
Tempo trascorso: 1 minuti, 49 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 13
Valori di registro infetti: 14
Voci infette nei dati di registro: 6
Cartelle infette: 1
File infetti: 14

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cat2b6d (BackDoor.Gootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RkHit (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\20W6RLKX65 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CE8SIIFGSU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TJHTHX1O7X (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5c (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srenum (Rootkit.Agent) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Downloader) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Value: load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20W6RLKX65 (Trojan.FakeAlert) -> Value: 20W6RLKX65 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3FWHZQA3LT (Trojan.FakeAlert) -> Value: 3FWHZQA3LT -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DAT39.tmp.exe (Trojan.FakeAlert) -> Value: DAT39.tmp.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssend (Trojan.Agent) -> Value: mssend -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU (Trojan.FakeAlert) -> Value: CE8SIIFGSU -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TJHTHX1O7X (Trojan.FakeAlert) -> Value: TJHTHX1O7X -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7DD02E64-6DD8-9202-2B83-0D36C704B6F3} (Trojan.ZbotR.Gen) -> Value: {7DD02E64-6DD8-9202-2B83-0D36C704B6F3} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{DF366355-A3B0-0170-31D6-94CEEA1FD19C} (Trojan.ZbotR.Gen) -> Value: {DF366355-A3B0-0170-31D6-94CEEA1FD19C} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{56087C01-33D0-4EAA-56A6-381F705A4D8F} (Trojan.ZbotR.Gen) -> Value: {56087C01-33D0-4EAA-56A6-381F705A4D8F} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Value: bk -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Value: UID -> Quarantined and deleted successfully.

Voci infette nei dati di registro:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Downloader) -> Bad: (C:\DOCUME~1\Carlo\IMPOST~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe "C:\Documents and Settings\NetworkService\Dati applicazioni\h3elkwkrrqx1ckhyffzgdlrcokfmfmz2\csrss.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Cartelle infette:
c:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

File infetti:
c:\documents and settings\Carlo\dati applicazioni\microsoft\conhost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Carlo\impostazioni locali\Temp\csrss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\cat2b6d.sys (BackDoor.Gootkit) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\RKHit.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\all users\dati applicazioni\ddfcbytmrpiox.dll.bak (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\Carlo\dati applicazioni\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\programmi\internet explorer\conhost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\programmi\windows nt\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-484763869-1123561945-725345543-1003\Dc1.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-484763869-1123561945-725345543-1003\Dc2.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-484763869-1123561945-725345543-1003\Dc8.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\Carlo\impostazioni locali\Temp\1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Carlo\dati applicazioni\mdjaw.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Carlo\dati applicazioni\xvcpuvjsftejqkl3orwl23pgnqdxobdi2\svcnost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
RaoulDuke
Active Member
 
Posts: 11
Joined: January 22nd, 2011, 3:05 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware