Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New pc, new malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New pc, new malware

Unread postby durden83 » October 17th, 2012, 6:28 am

Hi,
It's me again. By now I'm like a resident here.
1) I noticed some problems in copying and pasting contents from one document to another. It's like if content is altereted in the process.
2) Sometimes the browser does not respond correctly. When I google something it does'nt work sometimes.
3) Some word documents keep scrolling up and down without giving commands.
4) The antivirus scan checks some directory that I can't find.
5) The "select all" command in notepad doesn't seem to have a correct keyboard shortcut. The current is "ctrl+5 (Tn)". I don't know if it's normal, or what that (Tn) means.

This is my DSS log:

DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Daniele at 12:15:32 on 2012-10-17
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1012.478 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Programmi\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\IDT\WDM\STacSV.exe
C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] c:\programmi\idt\wdm\sttray.exe
mRun: [AESTFltr] c:\windows\system32\AESTFltr.exe /NoDlg
mRun: [Adobe ARM] "c:\programmi\file comuni\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\programmi\microsoft security client\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\fileco~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{EBF54F30-80F5-4CE9-A797-F4B50AFF0A85} : DHCPNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\programmi\file comuni\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\daniele\dati applicazioni\mozilla\firefox\profiles\djyplvud.default\
FF - plugin: c:\programmi\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
R1 MpKsl6143fc87;MpKsl6143fc87;c:\documents and settings\all users.windows\dati applicazioni\microsoft\microsoft antimalware\definition updates\{e88d02e8-53a7-45d1-8a87-ea1ffe232fc0}\MpKsl6143fc87.sys [2012-10-17 29904]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users.windows\dati applicazioni\skype\toolbars\skype c2c service\c2c_service.exe [2012-5-30 3048136]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-11-10 113664]
S2 SkypeUpdate;Skype Updater;c:\programmi\skype\updater\Updater.exe [2012-7-3 160944]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2012-10-17 07:00:44 56200 ----a-w- c:\documents and settings\all users.windows\dati applicazioni\microsoft\microsoft antimalware\definition updates\{e88d02e8-53a7-45d1-8a87-ea1ffe232fc0}\offreg.dll
2012-10-17 07:00:44 29904 ----a-w- c:\documents and settings\all users.windows\dati applicazioni\microsoft\microsoft antimalware\definition updates\{e88d02e8-53a7-45d1-8a87-ea1ffe232fc0}\MpKsl6143fc87.sys
2012-10-16 21:52:19 -------- d-----w- c:\programmi\StarCraft II
2012-10-16 21:52:19 -------- d-----w- c:\programmi\file comuni\Blizzard Entertainment
2012-10-16 21:52:19 -------- d-----w- c:\documents and settings\all users.windows\dati applicazioni\Blizzard Entertainment
2012-10-16 21:48:17 -------- d-----w- c:\documents and settings\all users.windows\dati applicazioni\Battle.net
2012-10-16 13:08:30 6980552 ----a-w- c:\documents and settings\all users.windows\dati applicazioni\microsoft\microsoft antimalware\definition updates\{e88d02e8-53a7-45d1-8a87-ea1ffe232fc0}\mpengine.dll
2012-10-15 23:06:20 -------- d-----w- c:\documents and settings\daniele\impostazioni locali\dati applicazioni\Temp
2012-10-15 23:06:20 -------- d-----w- c:\documents and settings\daniele\impostazioni locali\dati applicazioni\Adobe
2012-10-15 01:49:11 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-15 00:49:23 -------- d-----w- c:\documents and settings\daniele\impostazioni locali\dati applicazioni\Mozilla
2012-10-15 00:45:28 -------- d-----w- C:\1352d373aa70aebdd3c64353
2012-10-15 00:28:06 6980552 ----a-w- c:\documents and settings\all users.windows\dati applicazioni\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2012-10-15 01:49:11 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-30 20:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:05:06 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:05:04 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:05:04 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53:53 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-23 06:27:05 2152448 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-23 06:27:04 2031104 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 12.16.18,17 ===============

The Attach log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-14.05)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 09/11/2011 22.44.59
System Uptime: 17/10/2012 10.31.01 (2 hours ago)
.
Motherboard: Hewlett-Packard | | 1584
Processor: Intel(R) Atom(TM) CPU N455 @ 1.66GHz | CPU | 1662/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 214 GiB total, 158,191 GiB free.
E: is FIXED (NTFS) - 19 GiB total, 2,693 GiB free.
F: is FIXED (FAT32) - 0 GiB total, 0,089 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek PCIe FE Family Controller
Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_1584103C&REV_05\4&2F707902&0&00E3
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek PCIe FE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_1584103C&REV_05\4&2F707902&0&00E3
Service: RTLE8023xp
.
==== System Restore Points ===================
.
RP125: 24/07/2012 12.14.32 - Software Distribution Service 3.0
RP126: 24/07/2012 12.23.20 - Software Distribution Service 3.0
RP127: 25/07/2012 22.09.44 - Software Distribution Service 3.0
RP128: 30/07/2012 9.50.24 - Software Distribution Service 3.0
RP129: 30/08/2012 22.26.19 - Software Distribution Service 3.0
RP130: 01/09/2012 13.05.12 - Software Distribution Service 3.0
RP131: 01/09/2012 13.16.21 - Software Distribution Service 3.0
RP132: 02/09/2012 22.43.36 - Software Distribution Service 3.0
RP133: 04/09/2012 22.19.00 - Software Distribution Service 3.0
RP134: 06/09/2012 21.27.53 - Software Distribution Service 3.0
RP135: 07/09/2012 23.22.33 - Software Distribution Service 3.0
RP136: 13/09/2012 21.47.55 - Software Distribution Service 3.0
RP137: 17/09/2012 22.45.00 - Software Distribution Service 3.0
RP138: 17/09/2012 22.55.14 - Software Distribution Service 3.0
RP139: 25/09/2012 22.36.03 - Software Distribution Service 3.0
RP140: 26/09/2012 16.46.12 - Software Distribution Service 3.0
RP141: 27/09/2012 16.17.21 - Software Distribution Service 3.0
RP142: 01/10/2012 12.18.13 - Software Distribution Service 3.0
RP143: 04/10/2012 1.03.30 - Software Distribution Service 3.0
RP144: 04/10/2012 1.15.39 - Software Distribution Service 3.0
RP145: 15/10/2012 2.28.00 - Software Distribution Service 3.0
RP146: 15/10/2012 2.44.39 - Software Distribution Service 3.0
RP147: 15/10/2012 3.00.17 - Software Distribution Service 3.0
RP148: 16/10/2012 15.08.26 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4) - Italiano
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2510531)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2544521)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2586448)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2618444)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2647516)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2675157)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2699988)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2722913)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB2744842)
Aggiornamento della protezione per Windows Internet Explorer 8 (KB982381)
Aggiornamento della protezione per Windows Media Player (KB2378111)
Aggiornamento della protezione per Windows Media Player (KB952069)
Aggiornamento della protezione per Windows Media Player (KB954155)
Aggiornamento della protezione per Windows Media Player (KB973540)
Aggiornamento della protezione per Windows Media Player (KB975558)
Aggiornamento della protezione per Windows Media Player (KB978695)
Aggiornamento della protezione per Windows XP (KB2079403)
Aggiornamento della protezione per Windows XP (KB2115168)
Aggiornamento della protezione per Windows XP (KB2229593)
Aggiornamento della protezione per Windows XP (KB2296011)
Aggiornamento della protezione per Windows XP (KB2347290)
Aggiornamento della protezione per Windows XP (KB2360937)
Aggiornamento della protezione per Windows XP (KB2387149)
Aggiornamento della protezione per Windows XP (KB2393802)
Aggiornamento della protezione per Windows XP (KB2412687)
Aggiornamento della protezione per Windows XP (KB2419632)
Aggiornamento della protezione per Windows XP (KB2423089)
Aggiornamento della protezione per Windows XP (KB2440591)
Aggiornamento della protezione per Windows XP (KB2443105)
Aggiornamento della protezione per Windows XP (KB2476490)
Aggiornamento della protezione per Windows XP (KB2478960)
Aggiornamento della protezione per Windows XP (KB2478971)
Aggiornamento della protezione per Windows XP (KB2479943)
Aggiornamento della protezione per Windows XP (KB2481109)
Aggiornamento della protezione per Windows XP (KB2483185)
Aggiornamento della protezione per Windows XP (KB2485663)
Aggiornamento della protezione per Windows XP (KB2506212)
Aggiornamento della protezione per Windows XP (KB2507618)
Aggiornamento della protezione per Windows XP (KB2507938)
Aggiornamento della protezione per Windows XP (KB2508429)
Aggiornamento della protezione per Windows XP (KB2509553)
Aggiornamento della protezione per Windows XP (KB2510581)
Aggiornamento della protezione per Windows XP (KB2535512)
Aggiornamento della protezione per Windows XP (KB2536276-v2)
Aggiornamento della protezione per Windows XP (KB2544521)
Aggiornamento della protezione per Windows XP (KB2544893-v2)
Aggiornamento della protezione per Windows XP (KB2562937)
Aggiornamento della protezione per Windows XP (KB2566454)
Aggiornamento della protezione per Windows XP (KB2567053)
Aggiornamento della protezione per Windows XP (KB2567680)
Aggiornamento della protezione per Windows XP (KB2570222)
Aggiornamento della protezione per Windows XP (KB2570947)
Aggiornamento della protezione per Windows XP (KB2584146)
Aggiornamento della protezione per Windows XP (KB2585542)
Aggiornamento della protezione per Windows XP (KB2586448)
Aggiornamento della protezione per Windows XP (KB2592799)
Aggiornamento della protezione per Windows XP (KB2598479)
Aggiornamento della protezione per Windows XP (KB2603381)
Aggiornamento della protezione per Windows XP (KB2618451)
Aggiornamento della protezione per Windows XP (KB2619339)
Aggiornamento della protezione per Windows XP (KB2620712)
Aggiornamento della protezione per Windows XP (KB2621440)
Aggiornamento della protezione per Windows XP (KB2624667)
Aggiornamento della protezione per Windows XP (KB2631813)
Aggiornamento della protezione per Windows XP (KB2633171)
Aggiornamento della protezione per Windows XP (KB2639417)
Aggiornamento della protezione per Windows XP (KB2641653)
Aggiornamento della protezione per Windows XP (KB2646524)
Aggiornamento della protezione per Windows XP (KB2647518)
Aggiornamento della protezione per Windows XP (KB2653956)
Aggiornamento della protezione per Windows XP (KB2655992)
Aggiornamento della protezione per Windows XP (KB2659262)
Aggiornamento della protezione per Windows XP (KB2660465)
Aggiornamento della protezione per Windows XP (KB2661637)
Aggiornamento della protezione per Windows XP (KB2676562)
Aggiornamento della protezione per Windows XP (KB2685939)
Aggiornamento della protezione per Windows XP (KB2686509)
Aggiornamento della protezione per Windows XP (KB2691442)
Aggiornamento della protezione per Windows XP (KB2695962)
Aggiornamento della protezione per Windows XP (KB2698365)
Aggiornamento della protezione per Windows XP (KB2705219)
Aggiornamento della protezione per Windows XP (KB2707511)
Aggiornamento della protezione per Windows XP (KB2709162)
Aggiornamento della protezione per Windows XP (KB2712808)
Aggiornamento della protezione per Windows XP (KB2718523)
Aggiornamento della protezione per Windows XP (KB2719985)
Aggiornamento della protezione per Windows XP (KB2723135)
Aggiornamento della protezione per Windows XP (KB2724197)
Aggiornamento della protezione per Windows XP (KB2731847)
Aggiornamento della protezione per Windows XP (KB923561)
Aggiornamento della protezione per Windows XP (KB923789)
Aggiornamento della protezione per Windows XP (KB946648)
Aggiornamento della protezione per Windows XP (KB950762)
Aggiornamento della protezione per Windows XP (KB950974)
Aggiornamento della protezione per Windows XP (KB951376-v2)
Aggiornamento della protezione per Windows XP (KB952004)
Aggiornamento della protezione per Windows XP (KB952954)
Aggiornamento della protezione per Windows XP (KB956572)
Aggiornamento della protezione per Windows XP (KB956744)
Aggiornamento della protezione per Windows XP (KB956802)
Aggiornamento della protezione per Windows XP (KB956844)
Aggiornamento della protezione per Windows XP (KB958644)
Aggiornamento della protezione per Windows XP (KB959426)
Aggiornamento della protezione per Windows XP (KB960803)
Aggiornamento della protezione per Windows XP (KB960859)
Aggiornamento della protezione per Windows XP (KB961501)
Aggiornamento della protezione per Windows XP (KB969059)
Aggiornamento della protezione per Windows XP (KB970430)
Aggiornamento della protezione per Windows XP (KB971657)
Aggiornamento della protezione per Windows XP (KB972270)
Aggiornamento della protezione per Windows XP (KB973507)
Aggiornamento della protezione per Windows XP (KB973869)
Aggiornamento della protezione per Windows XP (KB973904)
Aggiornamento della protezione per Windows XP (KB974112)
Aggiornamento della protezione per Windows XP (KB974318)
Aggiornamento della protezione per Windows XP (KB974392)
Aggiornamento della protezione per Windows XP (KB974571)
Aggiornamento della protezione per Windows XP (KB975025)
Aggiornamento della protezione per Windows XP (KB975467)
Aggiornamento della protezione per Windows XP (KB975560)
Aggiornamento della protezione per Windows XP (KB975562)
Aggiornamento della protezione per Windows XP (KB975713)
Aggiornamento della protezione per Windows XP (KB977816)
Aggiornamento della protezione per Windows XP (KB977914)
Aggiornamento della protezione per Windows XP (KB978338)
Aggiornamento della protezione per Windows XP (KB978542)
Aggiornamento della protezione per Windows XP (KB978601)
Aggiornamento della protezione per Windows XP (KB978706)
Aggiornamento della protezione per Windows XP (KB979309)
Aggiornamento della protezione per Windows XP (KB979482)
Aggiornamento della protezione per Windows XP (KB979687)
Aggiornamento della protezione per Windows XP (KB980436)
Aggiornamento della protezione per Windows XP (KB981322)
Aggiornamento della protezione per Windows XP (KB981997)
Aggiornamento della protezione per Windows XP (KB982132)
Aggiornamento della protezione per Windows XP (KB982665)
Aggiornamento della sicurezza per Microsoft Windows (KB2564958)
Aggiornamento per Windows Internet Explorer 8 (KB2598845)
Aggiornamento per Windows XP (KB2345886)
Aggiornamento per Windows XP (KB2467659)
Aggiornamento per Windows XP (KB2541763)
Aggiornamento per Windows XP (KB2616676-v2)
Aggiornamento per Windows XP (KB2641690)
Aggiornamento per Windows XP (KB2661254-v2)
Aggiornamento per Windows XP (KB2718704)
Aggiornamento per Windows XP (KB2736233)
Aggiornamento per Windows XP (KB2749655)
Aggiornamento per Windows XP (KB898461)
Aggiornamento per Windows XP (KB951978)
Aggiornamento per Windows XP (KB955759)
Aggiornamento per Windows XP (KB968389)
Aggiornamento per Windows XP (KB971029)
Aggiornamento per Windows XP (KB971737)
Aggiornamento per Windows XP (KB973687)
Aggiornamento per Windows XP (KB973815)
Aggiornamento rapido per Windows XP (KB2570791)
Aggiornamento rapido per Windows XP (KB2633952)
Aggiornamento rapido per Windows XP (KB2756822)
Aggiornamento rapido per Windows XP (KB942288-v3)
Aggiornamento rapido per Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
HP Product Detection
IDT Audio
IncrediMail
IncrediMail 2.0
Intel(R) Graphics Media Accelerator Driver
K-Lite Codec Pack 5.9.0 (Full)
Microsoft Antimalware Service IT-IT Language Pack
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Client IT-IT Language Pack
Microsoft Security Essentials
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 8.0 (x86 it)
Pacchetto di compatibilità per Office System 2007
Photo Notifier and Animation Creator
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Scheda LAN wireless Broadcom 802.11
Skype Click to Call
Skype™ 5.10
StarCraft II
Synaptics Pointing Device Driver
USB2.0 Card Reader Software
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
.
==== End Of File ===========================
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am
Advertisement
Register to Remove

Re: New pc, new malware

Unread postby askey127 » October 18th, 2012, 2:04 pm

Hi durden83,
Sorry about your recent misfortune.
On this machine, please do what you can so you can remove Incredimail and Incredimail 2..
Unless they have changed their policies, they claim sole legal rights to everything (all the contents!) you send or receive using their program.

You can probably use Outlook Express, usually included with XP, or install Thunderbird.
Thunderbird e-mails and settings can be transferred to a Win7 machine. OE data cannot.
http://www.mozilla.org/en-US/thunderbird/

For the shortcuts problem, see here:
Normal XP Shortcuts
http://www.helpwithpcs.com/tipsandtrick ... ows_xp.htm

Setting Hot Keys. Maybe somebody did that for Notepad and it's causing trouble.:
http://askville.amazon.com/set-hot-keys ... Id=9765527

Notepad ++ is a replacement for Notepad, if that would solve most of the issue you have.
http://notepad-plus-plus.org/

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: New pc, new malware

Unread postby durden83 » October 19th, 2012, 4:48 pm

Hi askey,

I don't think Incredimail is the problem.

I experienced strange disconnection without any modem's issue.
Also, in this exact moment the subject of the post has been deleted in this window. Not by me.
Some seccond ago the current window has been closed. Not by me.

If u think this is a problem related to e-mail, you are free to think it.
I suspect someone is hardly trolling here. Or, worst, hacking and making very bad stuff.
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby askey127 » October 19th, 2012, 5:52 pm

durden83,
I never said Incredimail was THE problem. I was simply delivering information to you.
You can either do the things I ask, or not. Your choice. Your computer. Helping you is my choice.
Just let me know what you choose to do or not do.
Did you look at the hotkey options for Notepad? Do you need help with it? You didn't mention anything about it.
These were just preliminaries to get out of the way first, as they seemed to be hindering our communication.
If you would like to continue, please proceed as follows:
---------------------------------------------
Run CKScanner
Download CKScanner from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved. Please run the program just once.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
---------------------------------------------
Download the OTL Scanner
Please download OTL.exe by OldTimer and save it to your desktop.
---------------------------------------------
Run a Scan with OTL
  • For WinXP, double click on the OTL icon to run it.
  • Check the boxes labeled :
    • Scan All Users
    • LOP check
    • Purity check
    • Extra Registry > Use SafeList
  • Make sure all other windows are closed to let it run uninterrupted.
  • Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so.
    When the scan starts, OTL may appear to be frozen while it runs. Please be patient.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. (desktop)
OTL.txt will be open on your desktop, and Extras.txt will be minimized in your taskbar.
The Extras.txt file will only appear as a running Notepad document the very first time you run OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.
---------------------------------------------------
So, In Your Reply, we will be looking for the following :
The contents of:
  • CKFiles.txt
  • OTL.txt
  • Extras.txt
As I mentioned, please feel free to use separate replies.
The Extras.txt file will only show up the very first time you run OTL.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: New pc, new malware

Unread postby durden83 » October 19th, 2012, 6:29 pm

Ok thank you for the advice.

I tried to search for notepad.exe to do as
"http://askville.amazon.com/set-hot-keys ... Id=9765527" says.
It seems I have three notepad on my pc.

One is on /system32.
One is on /prefetch folder.
One is on /windows

None of them has the "shortcut tab". Is it normal?

This is my CKscanner.txt:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.WMNAQN
----- EOF -----
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby durden83 » October 19th, 2012, 6:43 pm

OTL logfile created on: 20/10/2012 0.31.18 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Daniele\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000410 | Country: Italia | Language: ITA | Date Format: dd/MM/yyyy

1011,79 Mb Total Physical Memory | 529,67 Mb Available Physical Memory | 52,35% Memory free
2,37 Gb Paging File | 1,93 Gb Available in Paging File | 81,37% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmi
Drive C: | 214,22 Gb Total Space | 157,55 Gb Free Space | 73,55% Space Free | Partition Type: NTFS
Drive E: | 18,55 Gb Total Space | 2,69 Gb Free Space | 14,52% Space Free | Partition Type: NTFS
Drive F: | 99,18 Mb Total Space | 91,57 Mb Free Space | 92,32% Space Free | Partition Type: FAT32

Computer Name: ADS | User Name: Daniele | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/20 00.12.20 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniele\Desktop\OTL.exe
PRC - [2012/09/12 17.25.22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Programmi\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17.19.44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Programmi\Microsoft Security Client\msseces.exe
PRC - [2012/05/30 13.56.52 | 003,048,136 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2011/11/05 09.25.06 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Programmi\Mozilla Firefox\firefox.exe
PRC - [2010/08/18 04.11.28 | 000,495,708 | ---- | M] (IDT, Inc.) -- C:\Programmi\IDT\WDM\sttray.exe
PRC - [2010/08/18 04.11.28 | 000,249,938 | ---- | M] (IDT, Inc.) -- C:\Programmi\IDT\WDM\stacsv.exe
PRC - [2009/08/11 20.37.44 | 000,753,664 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\AESTFltr.exe
PRC - [2008/04/13 13.14.08 | 001,036,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/10/15 03.49.09 | 009,814,968 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll
MOD - [2012/07/27 22.51.42 | 000,301,056 | ---- | M] () -- C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.ITA
MOD - [2011/11/05 09.25.06 | 001,989,592 | ---- | M] () -- C:\Programmi\Mozilla Firefox\mozjs.dll


========== Services (SafeList) ==========

SRV - [2012/09/12 17.25.22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programmi\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/07/03 13.52.02 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programmi\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/05/30 13.56.52 | 003,048,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2010/08/18 04.11.28 | 000,249,938 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Programmi\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2003/07/28 21.28.22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts5161ccid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts516xIR.sys -- (Rts516xIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RTS5121.sys -- (RSUSBSTOR)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2011/11/10 00.13.34 | 002,697,600 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2010/08/18 04.11.28 | 001,642,499 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2010/07/06 12.13.10 | 000,234,392 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/04/21 23.13.34 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2009/04/18 18.27.38 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-583907252-1844237615-515967899-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Programmi\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Programmi\Mozilla Firefox\components [2011/11/10 01.26.54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Programmi\Mozilla Firefox\plugins

[2012/10/15 02.49.32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Daniele\Dati applicazioni\Mozilla\Extensions
[2012/06/10 18.33.19 | 000,000,000 | ---D | M] (No name found) -- C:\Programmi\Mozilla Firefox\extensions
[2012/06/10 18.33.22 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Programmi\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/11/05 09.25.07 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Programmi\mozilla firefox\components\browsercomps.dll
[2011/11/05 05.43.37 | 000,002,252 | ---- | M] () -- C:\Programmi\mozilla firefox\searchplugins\bing.xml
[2011/11/05 06.25.19 | 000,000,744 | ---- | M] () -- C:\Programmi\mozilla firefox\searchplugins\eBay-it.xml
[2011/11/05 06.25.19 | 000,000,825 | ---- | M] () -- C:\Programmi\mozilla firefox\searchplugins\hoepli.xml
[2011/11/05 06.25.19 | 000,001,182 | ---- | M] () -- C:\Programmi\mozilla firefox\searchplugins\wikipedia-it.xml
[2011/11/05 06.25.19 | 000,000,953 | ---- | M] () -- C:\Programmi\mozilla firefox\searchplugins\yahoo-it.xml

O1 HOSTS File: ([2006/03/02 12.00.00 | 000,000,768 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Adobe ARM] C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [MSC] c:\Programmi\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SysTrayApp] C:\Programmi\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Programmi\File comuni\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Programmi\File comuni\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-583907252-1844237615-515967899-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EBF54F30-80F5-4CE9-A797-F4B50AFF0A85}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmi\File comuni\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programmi\File comuni\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programmi\File comuni\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programmi\File comuni\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Pagina iniziale corrente) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Colline.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Colline.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/09 23.42.33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/20 00.12.07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daniele\Desktop\OTL.exe
[2012/10/17 12.15.32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Documenti\Video
[2012/10/17 12.15.32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\Strumenti di amministrazione
[2012/10/17 00.09.11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\StarCraft II
[2012/10/16 23.52.19 | 000,000,000 | ---D | C] -- C:\Programmi\StarCraft II
[2012/10/16 23.52.19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Documenti\StarCraft II
[2012/10/16 23.52.19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Menu Avvio\Programmi\StarCraft II
[2012/10/16 23.52.19 | 000,000,000 | ---D | C] -- C:\Programmi\File comuni\Blizzard Entertainment
[2012/10/16 23.52.19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Blizzard Entertainment
[2012/10/16 23.48.17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Battle.net
[2012/10/16 05.03.43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Desktop\Daniele
[2012/10/16 01.06.20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Temp
[2012/10/16 01.06.20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Adobe
[2012/10/15 03.49.37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Dati applicazioni\Macromedia
[2012/10/15 03.49.37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Dati applicazioni\Adobe
[2012/10/15 03.49.11 | 000,696,760 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/15 03.42.54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Documenti\Download
[2012/10/15 02.49.23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Mozilla
[2012/10/15 02.49.23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Dati applicazioni\Mozilla
[2012/10/15 02.48.27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Dati applicazioni\Identities
[2012/10/15 02.48.14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Documenti\Musica
[2012/10/15 02.48.14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Documenti\Immagini
[2012/10/15 02.48.13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Daniele\IETldCache
[2012/10/15 02.48.05 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Daniele\Dati applicazioni\Microsoft
[2012/10/15 02.48.05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Daniele\SendTo
[2012/10/15 02.48.05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Daniele\Recent
[2012/10/15 02.48.05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Daniele\Dati applicazioni
[2012/10/15 02.48.05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Preferiti
[2012/10/15 02.48.05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Menu Avvio
[2012/10/15 02.48.05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\Esecuzione automatica
[2012/10/15 02.48.05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Documenti
[2012/10/15 02.48.05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\Accessori
[2012/10/15 02.48.05 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Daniele\Cookies
[2012/10/15 02.48.05 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Daniele\Risorse di stampa
[2012/10/15 02.48.05 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Daniele\Risorse di rete
[2012/10/15 02.48.05 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Daniele\Modelli
[2012/10/15 02.48.05 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Daniele\Impostazioni locali
[2012/10/15 02.48.05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Microsoft
[2012/10/15 02.48.05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniele\Desktop
[2012/10/15 02.45.28 | 000,000,000 | ---D | C] -- C:\1352d373aa70aebdd3c64353
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/20 00.12.20 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniele\Desktop\OTL.exe
[2012/10/20 00.05.21 | 000,458,240 | ---- | M] () -- C:\Documents and Settings\Daniele\Desktop\CKScanner.exe
[2012/10/19 22.36.20 | 000,000,398 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/10/19 22.30.40 | 000,345,620 | ---- | M] () -- C:\WINDOWS\System32\perfh010.dat
[2012/10/19 22.30.40 | 000,311,938 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/10/19 22.30.40 | 000,048,012 | ---- | M] () -- C:\WINDOWS\System32\perfc010.dat
[2012/10/19 22.30.40 | 000,040,326 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/10/19 22.26.42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/19 22.26.13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/16 23.52.30 | 000,000,746 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\StarCraft II.lnk
[2012/10/16 05.10.17 | 000,000,424 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012/10/15 03.49.11 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/15 03.49.11 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/10/15 02.45.26 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/04 01.16.25 | 000,001,912 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/20 00.08.28 | 000,458,240 | ---- | C] () -- C:\Documents and Settings\Daniele\Desktop\CKScanner.exe
[2012/10/16 23.52.19 | 000,000,746 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\StarCraft II.lnk
[2012/10/15 02.48.35 | 000,000,783 | ---- | C] () -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\Internet Explorer.lnk
[2012/10/15 02.48.28 | 000,000,718 | ---- | C] () -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\Outlook Express.lnk
[2012/10/15 02.48.06 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\Assistenza remota.lnk
[2012/10/15 02.48.06 | 000,000,772 | ---- | C] () -- C:\Documents and Settings\Daniele\Menu Avvio\Programmi\Windows Media Player.lnk
[2012/10/15 02.34.39 | 000,000,398 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/02/17 22.38.09 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/11 23.26.52 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/11/11 23.26.50 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/11/11 23.26.39 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/11/11 23.26.38 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/11/11 23.26.34 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/11/11 23.24.17 | 000,000,424 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/11/10 01.34.49 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2011/11/10 00.27.32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/11/10 00.01.17 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/11/09 23.45.12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/11/09 23.39.21 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

========== ZeroAccess Check ==========


[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/09/05 15.56.22 | 001,510,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 12.51.43 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 13.13.58 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/10/16 23.48.28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Battle.net
[2011/11/15 22.49.36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\IM
[2011/11/15 22.48.24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\IncrediMail
[2011/11/15 22.49.32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Photo Notifier and Animation Creator

========== Purity Check ==========



< End of report >
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby durden83 » October 19th, 2012, 6:45 pm

OTL Extras logfile created on: 20/10/2012 0.31.18 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Daniele\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000410 | Country: Italia | Language: ITA | Date Format: dd/MM/yyyy

1011,79 Mb Total Physical Memory | 529,67 Mb Available Physical Memory | 52,35% Memory free
2,37 Gb Paging File | 1,93 Gb Available in Paging File | 81,37% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmi
Drive C: | 214,22 Gb Total Space | 157,55 Gb Free Space | 73,55% Space Free | Partition Type: NTFS
Drive E: | 18,55 Gb Total Space | 2,69 Gb Free Space | 14,52% Space Free | Partition Type: NTFS
Drive F: | 99,18 Mb Total Space | 91,57 Mb Free Space | 92,32% Space Free | Partition Type: FAT32

Computer Name: ADS | User Name: Daniele | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-583907252-1844237615-515967899-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programmi\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Programmi\Mozilla Firefox\plugin-container.exe" = C:\Programmi\Mozilla Firefox\plugin-container.exe:*:Enabled:Plugin Container for Firefox -- (Mozilla Corporation)
"C:\Programmi\IncrediMail\Bin\IncMail.exe" = C:\Programmi\IncrediMail\Bin\IncMail.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Programmi\IncrediMail\Bin\ImApp.exe" = C:\Programmi\IncrediMail\Bin\ImApp.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Programmi\IncrediMail\Bin\ImpCnt.exe" = C:\Programmi\IncrediMail\Bin\ImpCnt.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Programmi\Skype\Phone\Skype.exe" = C:\Programmi\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Battle.net\Agent\Agent.1267\Agent.exe" = C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Battle.net\Agent\Agent.1267\Agent.exe:*:Enabled:Battle.net Update Agent -- (Blizzard Entertainment)
"C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Battle.net\Agent\Agent.1363\Agent.exe" = C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Battle.net\Agent\Agent.1363\Agent.exe:*:Enabled:Battle.net Update Agent -- (Blizzard Entertainment)
"C:\Programmi\StarCraft II\StarCraft II.exe" = C:\Programmi\StarCraft II\StarCraft II.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Programmi\StarCraft II\StarCraft II Public Test.exe" = C:\Programmi\StarCraft II\StarCraft II Public Test.exe:*:Enabled:Test pubblico di StarCraft II -- (Blizzard Entertainment)
"C:\Programmi\StarCraft II\Versions\Base23260\SC2.exe" = C:\Programmi\StarCraft II\Versions\Base23260\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{14544CE3-0AA3-48C3-93C2-758578EA9F99}" = Photo Notifier and Animation Creator
"{350C9410-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{50779A29-834E-4E36-BBEB-B7CABC67A825}" = Microsoft Security Client IT-IT Language Pack
"{7462E859-C453-4E08-BE0D-7D5E13E4CD1F}" = Microsoft Antimalware Service IT-IT Language Pack
"{90110410-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0410-0000-0000000FF1CE}" = Pacchetto di compatibilità per Office System 2007
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92DA8743-42CF-45E1-AF40-34F8D9066989}" = IncrediMail
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{AC76BA86-7AD7-1040-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Italiano
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"IncrediMail" = IncrediMail 2.0
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.9.0 (Full)
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 8.0 (x86 it)" = Mozilla Firefox 8.0 (x86 it)
"Photo Notifier and Animation Creator" = Photo Notifier and Animation Creator
"Scheda LAN wireless Broadcom 802.11" = Scheda LAN wireless Broadcom 802.11
"StarCraft II" = StarCraft II
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 19/03/2012 8.34.14 | Computer Name = ADS | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 11/04/2012 15.07.45 | Computer Name = ADS | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efd, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 19/04/2012 17.51.04 | Computer Name = ADS | Source = Application Hang | ID = 1002
Description = Applicazione in stallo WINWORD.EXE, versione 11.0.8328.0, modulo in
stallo hungapp, versione 0.0.0.0, indirizzo stallo 0x00000000.

Error - 29/04/2012 15.51.00 | Computer Name = ADS | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 11/05/2012 15.30.51 | Computer Name = ADS | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072ee2, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 13/05/2012 16.17.42 | Computer Name = ADS | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 07/06/2012 15.21.02 | Computer Name = ADS | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.0.1538.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 07/06/2012 15.21.35 | Computer Name = ADS | Source = Microsoft Security Client | ID = 5000
Description =

Error - 07/06/2012 19.23.39 | Computer Name = ADS | Source = crypt32 | ID = 131083
Description = Impossibile estrarre l'elenco principale di altri produttori dal file
.cab di aggiornamento automatico in: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
a causa del seguente errore: Un certificato richiesto non rientra nel suo periodo
di validità se verificato rispetto all'ora corrente del sistema o al timestamp
sul file firmato.

Error - 21/06/2012 16.36.12 | Computer Name = ADS | Source = Application Hang | ID = 1002
Description = Applicazione in stallo WINWORD.EXE, versione 11.0.8345.0, modulo in
stallo hungapp, versione 0.0.0.0, indirizzo stallo 0x00000000.

[ System Events ]
Error - 17/10/2012 2.00.21 | Computer Name = ADS | Source = SideBySide | ID = 16842784
Description = Impossibile trovare assemblaggio dipendente Microsoft.VC80.MFCLOC
e l'ultimo errore è stato L'assembly a cui si fa riferimento non è installato nel
computer.

Error - 17/10/2012 2.00.21 | Computer Name = ADS | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly non riuscito per Microsoft.VC80.MFCLOC. Riferimento
al messaggio di errore: L'assembly a cui si fa riferimento non è installato nel
computer. .

Error - 17/10/2012 2.00.21 | Computer Name = ADS | Source = SideBySide | ID = 16842811
Description = Generate Activation Context non riuscito per C:\Programmi\IncrediMail\bin\MFC80U.DLL.
Riferimento
al messaggio di errore: Operazione completata. .

Error - 17/10/2012 2.00.57 | Computer Name = ADS | Source = SideBySide | ID = 16842784
Description = Impossibile trovare assemblaggio dipendente Microsoft.VC80.MFCLOC
e l'ultimo errore è stato L'assembly a cui si fa riferimento non è installato nel
computer.

Error - 17/10/2012 2.00.57 | Computer Name = ADS | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly non riuscito per Microsoft.VC80.MFCLOC. Riferimento
al messaggio di errore: L'assembly a cui si fa riferimento non è installato nel
computer. .

Error - 17/10/2012 2.00.57 | Computer Name = ADS | Source = SideBySide | ID = 16842811
Description = Generate Activation Context non riuscito per C:\Programmi\IncrediMail\bin\MFC80U.DLL.
Riferimento
al messaggio di errore: Operazione completata. .

Error - 17/10/2012 3.11.20 | Computer Name = ADS | Source = Dhcp | ID = 1002
Description = Il lease 192.168.0.4 dell'indirizzo IP della scheda di rete con indirizzo
90004E711E3F è stato negato dal server DHCP 192.168.0.1. Il server DHCP ha inviato
un messaggio DHCPNACK.

Error - 18/10/2012 9.52.18 | Computer Name = ADS | Source = Dhcp | ID = 1002
Description = Il lease 192.168.0.4 dell'indirizzo IP della scheda di rete con indirizzo
90004E711E3F è stato negato dal server DHCP 192.168.0.1. Il server DHCP ha inviato
un messaggio DHCPNACK.

Error - 18/10/2012 20.49.10 | Computer Name = ADS | Source = Dhcp | ID = 1002
Description = Il lease 192.168.0.4 dell'indirizzo IP della scheda di rete con indirizzo
90004E711E3F è stato negato dal server DHCP 192.168.0.1. Il server DHCP ha inviato
un messaggio DHCPNACK.

Error - 19/10/2012 11.52.54 | Computer Name = ADS | Source = Dhcp | ID = 1002
Description = Il lease 192.168.0.4 dell'indirizzo IP della scheda di rete con indirizzo
90004E711E3F è stato negato dal server DHCP 192.168.0.1. Il server DHCP ha inviato
un messaggio DHCPNACK.


< End of report >
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby askey127 » October 19th, 2012, 7:38 pm

durden83,
I will explain how to evaluate Notepad's shortcuts after we get through with the infection searches.
-------------------------------------------------
Please download RogueKiller.exe and save it to your desktop.

Run RogueKiller
  • First, quit all running programs.
  • Start RogueKiller.exe. (Double click in XP, Right click and choose "Run as administrator" in Vista/Win7)
  • Note: If the program is blocked, do not hesitate to try several times.
    If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com.
  • Wait until prescan has finished.
  • Click on the Scan button in the upper right. Wait for it to finish.
  • When the scan is complete, a file icon named RKreport.txt should appear on your desktop.
  • Please double click that file RKreport.txt and post its contents in your next Reply.
    (You can also open the report by clicking the Report button on the right).
  • When you exit RogueKiller, you may get a popup reporting "None of the Elements have been deleted. Do you want to quit?" Click "Yes".
-----------------------------------------------
Run aswMBR
Download aswMBR.exe and save to your desktop.
Double click on aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan, click "save log". Save it to your desktop and post the contents in your next reply.
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware It is free for non-business use.
Please click Here for the download.
  • Choose Save or Save To. The "Save to location" dialog will come up.
  • Click the browse folders button, then click on Desktop on the left as the location for the installer and click Save again. Close the dialog when the download is complete.
  • You should now have a desktop icon named mbam-setup-1.65.0.1400.exe. (If the download was saved somewhere else, locate it and copy or move it to your desktop).
  • Double-click it.
  • Let it install the program where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2011-mm-dd(hour-min-sec).txt
  • You can now delete the installer icon, named mbam-setup.exe from your desktop.
---------------------------------------------------
So, In Your Reply, we will be looking for the following :
The contents of:
  • RKreport.txt
  • report from aswMBR
  • MBAM log
Please feel free to use separate replies.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: New pc, new malware

Unread postby durden83 » October 20th, 2012, 9:06 am

Hi askey,

AswMBR ask to download the Avast virus definitions database for aswMBR. Should I download it?
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby durden83 » October 20th, 2012, 9:12 am

Anyway this is RK's log.

RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Daniele [Admin rights]
Mode : Scan -- Date : 10/20/2012 14:53:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS725025A9A364 +++++
--- User ---
[MBR] 5aa4663f6218308aeda1349e5cac6873
[BSP] ceed148ab8dfd358a107967bb333400a : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16065 | Size: 219364 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 449286144 | Size: 18993 Mo
2 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 488183808 | Size: 103 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby askey127 » October 20th, 2012, 11:31 am

That log looks good.

Yes, it's OK to download those definitions and then run aswMBR per instructions.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: New pc, new malware

Unread postby durden83 » October 20th, 2012, 6:05 pm

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-20 22:09:32
-----------------------------
22:09:32.468 OS Version: Windows 5.1.2600 Service Pack 3
22:09:32.468 Number of processors: 2 586 0x1C0A
22:09:32.468 ComputerName: ADS UserName:
22:09:34.734 Initialize success
22:21:02.796 AVAST engine defs: 12102000
22:38:50.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:38:50.671 Disk 0 Vendor: Hitachi_ PC2O Size: 238475MB BusType: 3
22:38:50.687 Disk 0 MBR read successfully
22:38:50.687 Disk 0 MBR scan
22:38:50.796 Disk 0 Windows XP default MBR code
22:38:50.796 Disk 0 Partition - 00 0F Extended LBA 219364 MB offset 16065
22:38:50.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 18993 MB offset 449286144
22:38:50.921 Disk 0 Partition 2 00 0C FAT32 LBA MSDOS5.0 103 MB offset 488183808
22:38:51.390 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 219364 MB offset 16128
22:38:51.406 Disk 0 scanning sectors +488395120
22:38:51.515 Disk 0 scanning C:\WINDOWS\system32\drivers
22:39:12.015 Service scanning
22:39:24.218 Service MpKsldf725ac8 c:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Microsoft\Microsoft Antimalware\Definition Updates\{E14E9453-65F8-498C-87DD-95489D6E08B2}\MpKsldf725ac8.sys **LOCKED** 32
22:39:45.218 Modules scanning
22:39:50.765 Disk 0 trace - called modules:
22:39:50.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
22:39:50.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e04868]
22:39:50.765 3 CLASSPNP.SYS[f7696fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86378028]
22:39:52.125 AVAST engine scan C:\WINDOWS
22:40:07.484 AVAST engine scan C:\WINDOWS\system32
22:44:34.640 AVAST engine scan C:\WINDOWS\system32\drivers
22:45:00.187 AVAST engine scan C:\Documents and Settings\Daniele
22:47:57.390 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
22:52:20.359 Scan finished successfully
23:12:59.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Daniele\Desktop\MBR.dat"
23:12:59.203 The log file has been saved successfully to "C:\Documents and Settings\Daniele\Desktop\aswMBR.txt"
====================================================

This is MBAM's log:

Malwarebytes Anti-Malware (Prova) 1.65.1.1000
www.malwarebytes.org

Versione database: v2012.10.20.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Daniele :: ADS [amministratore]

Protezione: Attivata

20/10/2012 23.58.33
mbam-log-2012-10-20 (23-58-33).txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File di sistema | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 213455
Tempo impiegato: 4 minuti, 53 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 0
(non sono stati rilevati elementi nocivi)

(fine)
====================================================
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby askey127 » October 21st, 2012, 7:59 am

Durden83,
I don't see any evidence of infection on your machine.
For assurance, you can have AVG run a full scan and remove anything it finds.

Do you still need help unraveling the shortcuts for Notepad or other?

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: New pc, new malware

Unread postby durden83 » October 21st, 2012, 10:48 am

Yes, it's running quite good in this period.
I hope it will last.

Regarding the shortcut question, Ill'try to be gentle: for the shortcuts I said that on my notepad the CTRL+A to select all content doesn't exist. I can clearly remember that it wasn't so some days ago.

I also said that there is CTRL+5 (Tn) instead of that.
I answered what that Tn means.
You never answered that.

You just indicate me a list of the normal shortcut.

In my humble opinion you just avoided the question, keeping a very strange silence about the reality. Your behaviour, and I'll try to say it gently, is quite strange.

I know that's your choice to help me, but it's also my choice to point out when I have some doubts on what you're saying.
If u want to act like an incontrovertible thrut, just say that, and next time I won't ask from any help from a living dogma.

Anyway bye bye.
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am

Re: New pc, new malware

Unread postby durden83 » October 21st, 2012, 10:52 am

I didn't remember to thank you for the time spent on this problem.

Thanks.
durden83
Regular Member
 
Posts: 44
Joined: October 3rd, 2011, 9:19 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware