Jump to content

Smart Engine - HELP NEEDED


Ramidus

Recommended Posts

Hi folks,

here's another one caught by Smart Engine, my wife's laptop [WinXP Media Center ed].

It came up abruptly, after my wife did not realize her Avast AV was not running at all.

Previous attempts to remove include: MBAM scan, some registry clean-up, IE restore to defaults, re-install of Avast AV. This took care of basically all the evident symptoms of infection (such as avast not connecting to server, findgala substituting google searches, and smart engine show-up when loading antivirus websites, and so on). Also, it took me some time to get rid of the hijacked hosts file, which since I fixed it remained clean of any additional host info other than localhost.

Everything is running almost ok, except that while checking with Panda ActiveScan the system reports windows security center running on smart engine (?); also occasionally at start up avast is stopped and I need to restart it manually. At the moment I have disabled windows firewall security.

My feeling is that SE has not been totally eradicated, but it's going beyond my ability to tackle it. I am not a computer guru, but I can move quite easily through system files, registries, command prompts etc. so do not hesitate to give manual instructions if needed or more appropriate, if I can't do it I'll let you know.

Here we go, as per your instructions: MBAM, DDS attach and Rootkit reports (zip file) and DDS log (within post). I also attached to the zip file a list of updates that came up as recommended windows updates (the system runs in italian, but every update reports on the KB code) after I ran Defogger (not sure whether the two things are related but it seemed strange this specific list of updates would come up now).

Please let me know if you need further info.

And thanks a lot for your help!! :)

DDS text:

DDS (Ver_10-11-10.01) - NTFSx86

Run by cintia at 10:29:32.93 on Sun 11/14/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1022.487 [GMT 1:00]

AV: Smart Engine *On-access scanning enabled* (Updated) {7F468738-A231-4857-A195-B90C89A6A530}

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Smart Engine *enabled* {2A4CF53C-E87A-4831-982B-61933D9D5F41}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Programmi\Intel\Wireless\Bin\EvtEng.exe

C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\Programmi\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programmi\Apoint\Apoint.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\ICO.EXE

C:\Programmi\Sony\VAIO Camera Utility\VCUServe.exe

C:\Programmi\Sony\VAIO Power Management\SPMgr.exe

C:\Programmi\Sony\ISB Utility\ISBMgr.exe

C:\Programmi\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Programmi\Sony\VAIO Update 4\VAIOUpdt.exe

C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

svchost.exe

C:\Programmi\Vodafone\VMCLite\VodafoneVMCLiteLauncher.exe

C:\Programmi\Apoint\Apntex.exe

C:\Programmi\Apoint\Apvfb.exe

C:\Programmi\Java\jre6\bin\jusched.exe

C:\Programmi\Alwil Software\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe

C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Programmi\Java\jre6\bin\jqs.exe

C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Programmi\UPHClean\uphclean.exe

C:\Programmi\Sony\VAIO Event Service\VESMgr.exe

C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\cintia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.repubblica.it/

uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:25452

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Guida per l'accesso a Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmi\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\progra~1\google~1\GoogleAFE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\documents and settings\all users\dati applicazioni\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler

mRun: [Apoint] c:\programmi\apoint\Apoint.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [VAIOCameraUtility] "c:\programmi\sony\vaio camera utility\VCUServe.exe"

mRun: [sonyPowerCfg] c:\programmi\sony\vaio power management\SPMgr.exe

mRun: [iSBMgr.exe] c:\programmi\sony\isb utility\ISBMgr.exe

mRun: [switcher.exe] c:\programmi\sony\wireless switch setting utility\Switcher.exe

mRun: [<NO NAME>]

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Adobe Photo Downloader] "c:\programmi\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime

mRun: [VAIO Update 4] "c:\programmi\sony\vaio update 4\VAIOUpdt.exe" /Stationary

mRun: [Acrobat Assistant 7.0] "c:\programmi\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [VodafoneVMCLiteLauncher] c:\programmi\vodafone\vmclite\\VodafoneVMCLiteLauncher.exe

mRun: [sunJavaUpdateSched] "c:\programmi\java\jre6\bin\jusched.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [avast5] "c:\programmi\alwil software\avast5\avastUI.exe" /nogui

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\fileco~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adobeg~1.lnk - c:\programmi\file comuni\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\newsho~1.lnk - c:\programmi\vodafone\vmclite\VodafoneVMCLiteLauncher.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: sony-europe.com

Trusted Zone: sonystyle-europe.com

Trusted Zone: vaio-link.com

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Programmi/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149263497781

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Programmi/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx

Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\programmi\invitrogen\vector nti advance 10\Ncbi.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll

IFEO: image file execution options - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cintia\datiap~1\mozilla\firefox\profiles\bn6oi4r2.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 25452

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\windows\system32\NPTNGPlayer.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-13 28552]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-13 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-13 17744]

R2 avast! Antivirus;avast! Antivirus;c:\programmi\alwil software\avast5\AvastSvc.exe [2010-11-13 40384]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\programmi\alwil software\avast5\AvastSvc.exe [2010-11-13 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\programmi\alwil software\avast5\AvastSvc.exe [2010-11-13 40384]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-20 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-20 808448]

S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]

S3 ONDAUsbDiag;ONDA USB Diagnostics Port;c:\windows\system32\drivers\ondausbdiag.sys --> c:\windows\system32\drivers\ONDAUsbDiag.sys [?]

S3 ONDAUsbModem;ONDA USB MODEM DRIVER;c:\windows\system32\drivers\ondausbmodem.sys --> c:\windows\system32\drivers\ONDAUsbModem.sys [?]

S3 ONDAUsbNmea;ONDA USB NMEA Port;c:\windows\system32\drivers\ondausbnmea.sys --> c:\windows\system32\drivers\ONDAUsbNmea.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-11-13 15:38:03 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-11-13 15:37:09 -------- d-----w- c:\programmi\Panda Security

2010-11-13 15:20:57 -------- d-----w- c:\docume~1\cintia\impost~1\datiap~1\Mozilla

2010-11-13 08:40:37 -------- d-----w- c:\docume~1\cintia\datiap~1\download2

2010-11-13 06:48:12 38848 ----a-w- c:\windows\avastSS.scr

2010-11-12 06:17:20 -------- d-----w- c:\programmi\Secunia

2010-11-11 23:46:09 -------- d-----w- c:\programmi\Glary Utilities

2010-11-11 21:12:02 -------- d-----w- c:\docume~1\cintia\datiap~1\Malwarebytes

2010-11-11 21:11:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-11 21:11:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-11 21:11:52 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-11-11 21:11:52 -------- d-----w- c:\docume~1\alluse~1\datiap~1\Malwarebytes

2010-11-11 09:28:22 -------- d-sh--w- c:\docume~1\alluse~1\datiap~1\SMFOVELE

2010-11-11 09:28:00 -------- d-sh--w- c:\docume~1\alluse~1\datiap~1\0129ac

==================== Find3M ====================

============= FINISH: 10:32:00.01 ===============

logs.zip

Link to post
Share on other sites

post-32477-1261866970.gif

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

Next:

Disable Internet Explorer Proxy Settings and Reset TCP/IP and Winsock

Disable Internet Explorer Proxy Settings and Reset TCP/IP

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.

If you have any questions please ask before moving on.

  • Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.
  • Then save the file as "fixme.bat" to your Desktop
  • In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.
    @ECHO OFF
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
    netsh int ip reset resetlog.txt
    netsh winsock reset catalog


  • On Windows XP you can double-click the file to run it.
  • On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes
  • This will flash a black DOS box very quickly and go away, this is normal.
  • Restart your computer now.
  • Launch Internet Explorer and see if you can connect to the Internet.
  • Launch MBAM and check for Updates

Link to post
Share on other sites

SEE MY REPLIES IN BLUE ALONG YOUR TEXT, and thanks for helping.

post-32477-1261866970.gif

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

I had already took care of cutting out proxy options both in IE and Firefox. They never reappeared and thay are still unchecked (i.e. no proxy for both).

Next:

Disable Internet Explorer Proxy Settings and Reset TCP/IP and Winsock

Disable Internet Explorer Proxy Settings and Reset TCP/IP

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.

If you have any questions please ask before moving on.

[*]Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.

[*]Then save the file as "fixme.bat" to your Desktop

[*]In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.

@ECHO OFF
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
netsh int ip reset resetlog.txt
netsh winsock reset catalog

[*]On Windows XP you can double-click the file to run it.

[*]On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes

[*]This will flash a black DOS box very quickly and go away, this is normal.

there were some errors so I ran the .bat again under prompt window. each of your instruction is followed by the message that came back in the prompt mode:

@ECHO OFF

command not recognized

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f

registry key or value not found

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f

registry key or value not found

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable

Link to post
Share on other sites

uInternet Settings,ProxyServer = http=127.0.0.1:25452

Sorry for cluttering.

what's uInternet Settings for? It reminds of a registry key some sites suggest to delete with regards to SE infections. Something I should do or just a typo?

MBAM was already running, kinda guessed what u wanted me to do. will post you the log (you want the text right in the post, and not as attachment, correct?)

system's running fine, as it was before i discovered from panda activescan that windows security reports smart engine module running on the pc???

last question, at this moment i'm running on wired, as I cut off the wireless connection. any reason why after turning on wireless this bug could reappear?

Link to post
Share on other sites

uInternet Settings,ProxyServer = http=127.0.0.1:25452
I was just pointing out that item shows in your DDS scan
I cut off the wireless connection. any reason why after turning on wireless this bug could reappear?
That usually is an indication your router is infected
Link to post
Share on other sites

MBAM rlog:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Versione database: 5112

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/14/2010 3:47:06 PM

mbam-log-2010-11-14 (15-47-06).txt

Tipo di scansione: Scansione veloce

Elementi esaminati: 171113

Tempo trascorso: 10 minuti, 12 secondi

Processi infetti in memoria: 0

Moduli di memoria infetti: 0

Chiavi di registro infette: 0

Valori di registro infetti: 0

Voci infette nei dati di registro: 0

Cartelle infette: 0

File infetti: 0

Processi infetti in memoria:

(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:

(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:

(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:

(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:

(Non sono stati rilevati elementi nocivi)

Cartelle infette:

(Non sono stati rilevati elementi nocivi)

File infetti:

(Non sono stati rilevati elementi nocivi)

Link to post
Share on other sites

New DDS scan

DDS (Ver_10-11-10.01) - NTFSx86

Run by cintia at 15:53:34.06 on Sun 11/14/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1022.550 [GMT 1:00]

AV: Smart Engine *On-access scanning enabled* (Updated) {7F468738-A231-4857-A195-B90C89A6A530}

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Smart Engine *enabled* {2A4CF53C-E87A-4831-982B-61933D9D5F41}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Programmi\Intel\Wireless\Bin\EvtEng.exe

C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\Programmi\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Programmi\Java\jre6\bin\jqs.exe

C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Programmi\UPHClean\uphclean.exe

C:\Programmi\Sony\VAIO Event Service\VESMgr.exe

C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Programmi\Apoint\Apoint.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\ICO.EXE

C:\Programmi\Sony\VAIO Camera Utility\VCUServe.exe

C:\Programmi\Sony\VAIO Power Management\SPMgr.exe

C:\Programmi\Sony\ISB Utility\ISBMgr.exe

C:\Programmi\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Programmi\Sony\VAIO Update 4\VAIOUpdt.exe

C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programmi\Vodafone\VMCLite\VodafoneVMCLiteLauncher.exe

C:\Programmi\Java\jre6\bin\jusched.exe

C:\Programmi\Alwil Software\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Programmi\Apoint\Apntex.exe

C:\Programmi\Apoint\Apvfb.exe

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\cintia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.repubblica.it/

uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/

uInternet Settings,ProxyServer = http=127.0.0.1:25452

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Guida per l'accesso a Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmi\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmi\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\progra~1\google~1\GoogleAFE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmi\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\documents and settings\all users\dati applicazioni\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler

mRun: [Apoint] c:\programmi\apoint\Apoint.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [VAIOCameraUtility] "c:\programmi\sony\vaio camera utility\VCUServe.exe"

mRun: [sonyPowerCfg] c:\programmi\sony\vaio power management\SPMgr.exe

mRun: [iSBMgr.exe] c:\programmi\sony\isb utility\ISBMgr.exe

mRun: [switcher.exe] c:\programmi\sony\wireless switch setting utility\Switcher.exe

mRun: [<NO NAME>]

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Adobe Photo Downloader] "c:\programmi\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime

mRun: [VAIO Update 4] "c:\programmi\sony\vaio update 4\VAIOUpdt.exe" /Stationary

mRun: [Acrobat Assistant 7.0] "c:\programmi\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [VodafoneVMCLiteLauncher] c:\programmi\vodafone\vmclite\\VodafoneVMCLiteLauncher.exe

mRun: [sunJavaUpdateSched] "c:\programmi\java\jre6\bin\jusched.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [avast5] "c:\programmi\alwil software\avast5\avastUI.exe" /nogui

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\fileco~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\adobeg~1.lnk - c:\programmi\file comuni\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\avviov~1.lnk - c:\programmi\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\blueto~1.lnk - c:\programmi\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\newsho~1.lnk - c:\programmi\vodafone\vmclite\VodafoneVMCLiteLauncher.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: sony-europe.com

Trusted Zone: sonystyle-europe.com

Trusted Zone: vaio-link.com

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Programmi/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149263497781

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Programmi/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx

Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\programmi\invitrogen\vector nti advance 10\Ncbi.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll

IFEO: image file execution options - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cintia\datiap~1\mozilla\firefox\profiles\bn6oi4r2.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 25452

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\windows\system32\NPTNGPlayer.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-13 28552]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-13 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-13 17744]

R2 avast! Antivirus;avast! Antivirus;c:\programmi\alwil software\avast5\AvastSvc.exe [2010-11-13 40384]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\programmi\alwil software\avast5\AvastSvc.exe [2010-11-13 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\programmi\alwil software\avast5\AvastSvc.exe [2010-11-13 40384]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-20 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-20 808448]

S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]

S3 ONDAUsbDiag;ONDA USB Diagnostics Port;c:\windows\system32\drivers\ondausbdiag.sys --> c:\windows\system32\drivers\ONDAUsbDiag.sys [?]

S3 ONDAUsbModem;ONDA USB MODEM DRIVER;c:\windows\system32\drivers\ondausbmodem.sys --> c:\windows\system32\drivers\ONDAUsbModem.sys [?]

S3 ONDAUsbNmea;ONDA USB NMEA Port;c:\windows\system32\drivers\ondausbnmea.sys --> c:\windows\system32\drivers\ONDAUsbNmea.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\programmi\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-11-13 15:38:03 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-11-13 15:37:09 -------- d-----w- c:\programmi\Panda Security

2010-11-13 15:20:57 -------- d-----w- c:\docume~1\cintia\impost~1\datiap~1\Mozilla

2010-11-13 08:40:37 -------- d-----w- c:\docume~1\cintia\datiap~1\download2

2010-11-13 06:48:12 38848 ----a-w- c:\windows\avastSS.scr

2010-11-12 06:17:20 -------- d-----w- c:\programmi\Secunia

2010-11-11 23:46:09 -------- d-----w- c:\programmi\Glary Utilities

2010-11-11 21:12:02 -------- d-----w- c:\docume~1\cintia\datiap~1\Malwarebytes

2010-11-11 21:11:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-11 21:11:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-11 21:11:52 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-11-11 21:11:52 -------- d-----w- c:\docume~1\alluse~1\datiap~1\Malwarebytes

2010-11-11 09:28:22 -------- d-sh--w- c:\docume~1\alluse~1\datiap~1\SMFOVELE

2010-11-11 09:28:00 -------- d-sh--w- c:\docume~1\alluse~1\datiap~1\0129ac

==================== Find3M ====================

============= FINISH: 15:54:36.92 ===============

Attach.txt

Link to post
Share on other sites

Please don't attach the scans / logs, use "copy/paste".

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

2010/11/14 16:15:27.0796 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/14 16:15:27.0796 ================================================================================

2010/11/14 16:15:27.0796 SystemInfo:

2010/11/14 16:15:27.0796

2010/11/14 16:15:27.0796 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/14 16:15:27.0796 Product type: Workstation

2010/11/14 16:15:27.0796 ComputerName: COSCIOLONA2

2010/11/14 16:15:27.0796 UserName: cintia

2010/11/14 16:15:27.0796 Windows directory: C:\WINDOWS

2010/11/14 16:15:27.0796 System windows directory: C:\WINDOWS

2010/11/14 16:15:27.0796 Processor architecture: Intel x86

2010/11/14 16:15:27.0796 Number of processors: 2

2010/11/14 16:15:27.0796 Page size: 0x1000

2010/11/14 16:15:27.0796 Boot type: Normal boot

2010/11/14 16:15:27.0796 ================================================================================

2010/11/14 16:15:28.0171 Initialize success

2010/11/14 16:15:33.0093 ================================================================================

2010/11/14 16:15:33.0093 Scan started

2010/11/14 16:15:33.0093 Mode: Manual;

2010/11/14 16:15:33.0093 ================================================================================

2010/11/14 16:15:34.0609 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/11/14 16:15:34.0796 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/14 16:15:34.0859 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/11/14 16:15:35.0062 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/14 16:15:35.0140 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/14 16:15:35.0250 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/14 16:15:35.0593 akshasp (d5987b854a62867d399a3d3d744547e5) C:\WINDOWS\system32\DRIVERS\akshasp.sys

2010/11/14 16:15:35.0703 aksusb (25c07de96a774622001935e36693c9c2) C:\WINDOWS\system32\DRIVERS\aksusb.sys

2010/11/14 16:15:35.0921 ApfiltrService (b21fcbc58cb13bac70f74b5ac5da7409) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2010/11/14 16:15:36.0062 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/14 16:15:36.0296 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/11/14 16:15:36.0453 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/11/14 16:15:36.0515 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/11/14 16:15:36.0578 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2010/11/14 16:15:36.0640 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/11/14 16:15:36.0687 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/14 16:15:36.0796 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/14 16:15:36.0875 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/14 16:15:36.0921 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/14 16:15:37.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/14 16:15:37.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/14 16:15:37.0218 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/11/14 16:15:37.0437 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/14 16:15:37.0562 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/14 16:15:37.0609 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/14 16:15:37.0750 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/14 16:15:37.0906 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/14 16:15:38.0031 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2010/11/14 16:15:38.0328 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/14 16:15:38.0421 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/14 16:15:38.0578 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys

2010/11/14 16:15:38.0625 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/14 16:15:38.0671 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/14 16:15:38.0796 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/14 16:15:38.0859 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/14 16:15:38.0906 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/11/14 16:15:39.0000 e1express (389cf2cded384be477c3b3f15747d495) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2010/11/14 16:15:39.0078 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/14 16:15:39.0203 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/11/14 16:15:39.0234 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/14 16:15:39.0265 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/14 16:15:39.0296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/14 16:15:39.0328 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/14 16:15:39.0406 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/14 16:15:39.0453 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/14 16:15:39.0578 hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\WINDOWS\system32\drivers\hardlock.sys

2010/11/14 16:15:39.0718 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/14 16:15:39.0796 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/14 16:15:39.0953 HSFHWAZL (acc46dda7fece95a253ae88cea172e12) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2010/11/14 16:15:40.0046 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/11/14 16:15:40.0250 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/14 16:15:40.0359 hwdatacard (e65d18e37522294bd9ccea29a0965a65) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys

2010/11/14 16:15:40.0531 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/14 16:15:40.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/14 16:15:40.0890 intelppm (ebd830a0970c438047006a49c23e287f) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/14 16:15:40.0968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/14 16:15:41.0093 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/14 16:15:41.0218 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/14 16:15:41.0296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/14 16:15:41.0359 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/14 16:15:41.0515 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/14 16:15:41.0578 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/14 16:15:41.0718 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/14 16:15:41.0781 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/14 16:15:41.0843 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/14 16:15:42.0078 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/11/14 16:15:42.0140 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2010/11/14 16:15:42.0265 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/14 16:15:42.0375 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/14 16:15:42.0406 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/14 16:15:42.0468 mouhid (d7662f0cf5b77bbbe3202716f5bd5318) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/14 16:15:42.0500 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/14 16:15:42.0546 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/14 16:15:42.0906 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/14 16:15:43.0156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/14 16:15:43.0265 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/14 16:15:43.0312 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/14 16:15:43.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/14 16:15:43.0375 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/14 16:15:43.0421 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/11/14 16:15:43.0453 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/14 16:15:43.0593 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/11/14 16:15:43.0671 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/14 16:15:43.0734 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/11/14 16:15:43.0781 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/14 16:15:43.0843 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/14 16:15:43.0890 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/14 16:15:43.0906 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/14 16:15:43.0921 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/14 16:15:43.0968 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/14 16:15:44.0078 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/14 16:15:44.0156 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys

2010/11/14 16:15:44.0234 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys

2010/11/14 16:15:44.0312 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys

2010/11/14 16:15:44.0390 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys

2010/11/14 16:15:44.0453 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/14 16:15:44.0484 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/14 16:15:44.0640 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/14 16:15:44.0875 nv (4f56e52f7ce6ac737adb1bb2a1854592) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/11/14 16:15:45.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/14 16:15:45.0171 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/14 16:15:45.0265 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/14 16:15:45.0421 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\drivers\Parport.sys

2010/11/14 16:15:45.0500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/14 16:15:45.0546 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/14 16:15:45.0593 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/14 16:15:45.0625 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/14 16:15:45.0703 PCIIde (b2df00d650fd6c4ee781740ed3c8e67f) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/14 16:15:45.0750 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/11/14 16:15:46.0265 Point32 (f6210e1e4818dfb0d5d90b6bb659b513) C:\WINDOWS\system32\DRIVERS\point32.sys

2010/11/14 16:15:46.0421 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/14 16:15:46.0453 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/14 16:15:46.0515 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

2010/11/14 16:15:46.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/14 16:15:46.0656 PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/14 16:15:46.0781 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/14 16:15:46.0859 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/14 16:15:47.0078 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/14 16:15:47.0203 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/14 16:15:47.0453 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/14 16:15:47.0546 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/14 16:15:47.0625 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/14 16:15:47.0718 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/14 16:15:47.0765 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/14 16:15:47.0843 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2010/11/14 16:15:48.0031 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/11/14 16:15:48.0140 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/14 16:15:48.0250 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\drivers\Serial.sys

2010/11/14 16:15:48.0312 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/14 16:15:48.0390 SI3132 (716a724a447c559f122ea140d636fa48) C:\WINDOWS\system32\DRIVERS\SI3132.sys

2010/11/14 16:15:48.0453 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys

2010/11/14 16:15:48.0484 SiRemFil (62fd549acf2943f89612a8777295fa57) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys

2010/11/14 16:15:48.0515 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/11/14 16:15:48.0593 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys

2010/11/14 16:15:48.0734 SonyImgF (fb77021110eaa16ea6e0961c844ef0d2) C:\WINDOWS\system32\DRIVERS\SonyImgF.sys

2010/11/14 16:15:48.0906 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/14 16:15:49.0000 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/14 16:15:49.0062 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/14 16:15:49.0250 STHDA (c80ec509026f6cc88486742083386ff6) C:\WINDOWS\system32\drivers\sthda.sys

2010/11/14 16:15:49.0390 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/11/14 16:15:49.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/14 16:15:49.0531 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/14 16:15:49.0828 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/14 16:15:49.0968 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/14 16:15:50.0031 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/14 16:15:50.0062 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/14 16:15:50.0093 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/14 16:15:50.0203 ti21sony (3106074a87bd5a16e2a3af6902bb6d91) C:\WINDOWS\system32\drivers\ti21sony.sys

2010/11/14 16:15:50.0359 toshidpt (e362d54fd394999c4178936396664e57) C:\WINDOWS\system32\drivers\Toshidpt.sys

2010/11/14 16:15:50.0468 tosporte (d626e0af9232d8799d3a449530f3c220) C:\WINDOWS\system32\DRIVERS\tosporte.sys

2010/11/14 16:15:50.0593 Tosrfbd (0ec5206059d97a8dc785be73fb457ec7) C:\WINDOWS\system32\Drivers\tosrfbd.sys

2010/11/14 16:15:50.0640 Tosrfbnp (33498b8f0b2ca549c2b7ffc1b3c0f1bc) C:\WINDOWS\system32\Drivers\tosrfbnp.sys

2010/11/14 16:15:50.0687 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys

2010/11/14 16:15:50.0796 Tosrfhid (5dbf390aab62dd0d4d43a9278614e001) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys

2010/11/14 16:15:50.0859 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys

2010/11/14 16:15:50.0906 TosRfSnd (0d86d15caff2b3203c785d604ec7c942) C:\WINDOWS\system32\drivers\TosRfSnd.sys

2010/11/14 16:15:50.0937 Tosrfusb (c582b7716f0be7e65505365f4f941587) C:\WINDOWS\system32\Drivers\tosrfusb.sys

2010/11/14 16:15:51.0000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/14 16:15:51.0093 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/14 16:15:51.0171 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/14 16:15:51.0265 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/14 16:15:51.0343 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/14 16:15:51.0421 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/14 16:15:51.0515 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/14 16:15:51.0640 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/14 16:15:51.0750 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/14 16:15:51.0875 usbvm321 (c7f4158ea3915f4194aee233ff8d4728) C:\WINDOWS\system32\Drivers\usbvm321.sys

2010/11/14 16:15:51.0937 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys

2010/11/14 16:15:52.0046 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/14 16:15:52.0187 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/14 16:15:52.0468 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys

2010/11/14 16:15:52.0609 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/14 16:15:52.0734 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/14 16:15:52.0921 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/11/14 16:15:53.0078 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/11/14 16:15:53.0125 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/11/14 16:15:53.0187 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/14 16:15:53.0203 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/14 16:15:53.0296 \HardDisk0 - detected Backdoor.Win32.Sinowal.knf (0)

2010/11/14 16:15:53.0296 ================================================================================

2010/11/14 16:15:53.0296 Scan finished

2010/11/14 16:15:53.0296 ================================================================================

2010/11/14 16:15:53.0296 Detected object count: 1

2010/11/14 16:16:08.0031 \HardDisk0 - will be cured after reboot

2010/11/14 16:16:08.0031 Backdoor.Win32.Sinowal.knf(\HardDisk0) - User select action: Cure

2010/11/14 16:16:16.0218 Deinitialize success

Link to post
Share on other sites

2010/11/14 16:16:08.0031 Backdoor.Win32.Sinowal.knf(\HardDisk0) - User select action: Cure

Backdoor

That's not a good sign.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

yes LDTate, i was already preparing myself to you reply when I saw the TDSSkiller report.

It's my wife PC and I believe she's been using ebay online banking and whatnot on it, I should have been there in the 1st place to avoid this.

Let me talk to her and see what she decides, however I would be more inclined to reformatting, as you suggest.

In the meantime I would need a couple of clarifications.

1. is there anyway our IP could have been targeted and used again in the future also after reformatting?

2. how do I check that the router is clean or how do I make it clean?

will give you an answer tonight when she's back home.

Thanks

T

Link to post
Share on other sites

1. is there anyway our IP could have been targeted and used again in the future also after reformatting?
Your IP is assigned by your ISP by Static addressing unless you are using dynamic

Internet Protocol addresses are assigned to a host either anew at the time of booting, or permanently by fixed configuration of its hardware or software. Persistent configuration is also known as using a static IP address. In contrast, in situations when the computer's IP address is assigned newly each time, this is known as using a dynamic IP address.

2. how do I check that the router is clean or how do I make it clean?
If you have your Router paper work / software that came with it, you can reset it and assign a new password. There's a small hole in the back of the router with a reset button that you can push in to also reset it. You really want to use the software that came with it to make any changes.

Right now I'd like you to reboot and run a new TDSSKiller scan and post the results

Link to post
Share on other sites

Hi LDTate, sorry I had to go offline for a while.

I did a reboot of the router and indeed it seems it's working on static IP. I will contact my ISP to know whether they can issue a new one.

As for the router itself my question was indeed if a normal reset would be sufficient to erase any trace left on the router.

Here's the log of the TDDS, one was done at 16:38 (only boot) after the cure and the last one was done half an hour ago (complete). none reports on the backdoor being still present. However I spoke with my wife and for work reasons she won't be able to let me do a reformat for a couple of weeks, so if you can I would appreciate your help in completing the cleaning as much as we can. thanks

2010/11/14 16:38:08.0875 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/14 16:38:08.0875 ================================================================================

2010/11/14 16:38:08.0875 SystemInfo:

2010/11/14 16:38:08.0875

2010/11/14 16:38:08.0875 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/14 16:38:08.0890 Product type: Workstation

2010/11/14 16:38:08.0890 ComputerName: COSCIOLONA2

2010/11/14 16:38:08.0890 UserName: cintia

2010/11/14 16:38:08.0890 Windows directory: C:\WINDOWS

2010/11/14 16:38:08.0890 System windows directory: C:\WINDOWS

2010/11/14 16:38:08.0890 Processor architecture: Intel x86

2010/11/14 16:38:08.0890 Number of processors: 2

2010/11/14 16:38:08.0890 Page size: 0x1000

2010/11/14 16:38:08.0890 Boot type: Normal boot

2010/11/14 16:38:08.0890 ================================================================================

2010/11/14 16:38:09.0234 Initialize success

2010/11/14 16:38:14.0671 ================================================================================

2010/11/14 16:38:14.0671 Scan started

2010/11/14 16:38:14.0671 Mode: Manual;

2010/11/14 16:38:14.0671 ================================================================================

2010/11/14 16:38:15.0812 ================================================================================

2010/11/14 16:38:15.0812 Scan finished

2010/11/14 16:38:15.0812 ================================================================================

2010/11/14 16:38:43.0312 Deinitialize success

2010/11/14 20:22:34.0093 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/14 20:22:34.0093 ================================================================================

2010/11/14 20:22:34.0093 SystemInfo:

2010/11/14 20:22:34.0093

2010/11/14 20:22:34.0093 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/14 20:22:34.0093 Product type: Workstation

2010/11/14 20:22:34.0093 ComputerName: COSCIOLONA2

2010/11/14 20:22:34.0093 UserName: cintia

2010/11/14 20:22:34.0093 Windows directory: C:\WINDOWS

2010/11/14 20:22:34.0093 System windows directory: C:\WINDOWS

2010/11/14 20:22:34.0093 Processor architecture: Intel x86

2010/11/14 20:22:34.0093 Number of processors: 2

2010/11/14 20:22:34.0093 Page size: 0x1000

2010/11/14 20:22:34.0093 Boot type: Normal boot

2010/11/14 20:22:34.0093 ================================================================================

2010/11/14 20:22:34.0390 Initialize success

2010/11/14 20:22:37.0531 ================================================================================

2010/11/14 20:22:37.0531 Scan started

2010/11/14 20:22:37.0531 Mode: Manual;

2010/11/14 20:22:37.0531 ================================================================================

2010/11/14 20:22:39.0093 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/11/14 20:22:39.0281 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/14 20:22:39.0343 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/11/14 20:22:39.0765 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/14 20:22:40.0046 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/14 20:22:40.0125 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/14 20:22:40.0234 akshasp (d5987b854a62867d399a3d3d744547e5) C:\WINDOWS\system32\DRIVERS\akshasp.sys

2010/11/14 20:22:40.0343 aksusb (25c07de96a774622001935e36693c9c2) C:\WINDOWS\system32\DRIVERS\aksusb.sys

2010/11/14 20:22:40.0593 ApfiltrService (b21fcbc58cb13bac70f74b5ac5da7409) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2010/11/14 20:22:40.0687 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/14 20:22:41.0015 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/11/14 20:22:41.0109 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/11/14 20:22:41.0171 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/11/14 20:22:41.0234 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2010/11/14 20:22:41.0343 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/11/14 20:22:41.0437 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/14 20:22:41.0468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/14 20:22:41.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/14 20:22:41.0593 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/14 20:22:41.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/14 20:22:41.0718 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/14 20:22:41.0796 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/11/14 20:22:41.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/14 20:22:42.0093 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/14 20:22:42.0171 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/14 20:22:42.0359 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/14 20:22:42.0468 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/14 20:22:42.0609 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2010/11/14 20:22:42.0843 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/14 20:22:42.0953 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/14 20:22:43.0093 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys

2010/11/14 20:22:43.0156 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/14 20:22:43.0234 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/14 20:22:43.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/14 20:22:43.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/14 20:22:43.0437 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/11/14 20:22:43.0515 e1express (389cf2cded384be477c3b3f15747d495) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2010/11/14 20:22:43.0609 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/14 20:22:43.0671 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/11/14 20:22:43.0718 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/14 20:22:43.0750 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/14 20:22:43.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/14 20:22:43.0890 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/14 20:22:43.0937 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/14 20:22:44.0000 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/14 20:22:44.0093 hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\WINDOWS\system32\drivers\hardlock.sys

2010/11/14 20:22:44.0187 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/14 20:22:44.0296 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/14 20:22:44.0515 HSFHWAZL (acc46dda7fece95a253ae88cea172e12) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2010/11/14 20:22:44.0578 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/11/14 20:22:44.0734 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/14 20:22:44.0796 hwdatacard (e65d18e37522294bd9ccea29a0965a65) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys

2010/11/14 20:22:44.0921 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/14 20:22:45.0062 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/14 20:22:45.0500 intelppm (ebd830a0970c438047006a49c23e287f) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/14 20:22:45.0578 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/14 20:22:45.0671 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/14 20:22:45.0796 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/14 20:22:45.0843 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/14 20:22:45.0921 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/14 20:22:45.0968 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/14 20:22:46.0015 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/14 20:22:46.0046 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/14 20:22:46.0078 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/14 20:22:46.0140 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/14 20:22:46.0218 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/11/14 20:22:46.0312 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2010/11/14 20:22:46.0453 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/14 20:22:46.0531 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/14 20:22:46.0609 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/14 20:22:46.0671 mouhid (d7662f0cf5b77bbbe3202716f5bd5318) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/14 20:22:46.0687 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/14 20:22:46.0734 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/14 20:22:46.0828 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/14 20:22:46.0859 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/14 20:22:46.0906 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/14 20:22:46.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/14 20:22:47.0078 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/14 20:22:47.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/14 20:22:47.0250 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/11/14 20:22:47.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/14 20:22:47.0359 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/11/14 20:22:47.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/14 20:22:47.0500 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/11/14 20:22:47.0562 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/14 20:22:47.0625 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/14 20:22:47.0671 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/14 20:22:47.0703 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/14 20:22:47.0750 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/14 20:22:47.0781 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/14 20:22:47.0828 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/14 20:22:47.0937 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys

2010/11/14 20:22:48.0031 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys

2010/11/14 20:22:48.0171 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys

2010/11/14 20:22:48.0250 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys

2010/11/14 20:22:48.0281 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/14 20:22:48.0359 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/14 20:22:48.0421 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/14 20:22:48.0656 nv (4f56e52f7ce6ac737adb1bb2a1854592) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/11/14 20:22:48.0890 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/14 20:22:48.0984 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/14 20:22:49.0015 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/14 20:22:49.0109 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\drivers\Parport.sys

2010/11/14 20:22:49.0203 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/14 20:22:49.0281 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/14 20:22:49.0328 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/14 20:22:49.0359 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/14 20:22:49.0484 PCIIde (b2df00d650fd6c4ee781740ed3c8e67f) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/14 20:22:49.0578 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/11/14 20:22:49.0984 Point32 (f6210e1e4818dfb0d5d90b6bb659b513) C:\WINDOWS\system32\DRIVERS\point32.sys

2010/11/14 20:22:50.0109 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/14 20:22:50.0234 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/14 20:22:50.0406 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

2010/11/14 20:22:50.0500 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/14 20:22:50.0578 PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/14 20:22:50.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/14 20:22:51.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/14 20:22:51.0093 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/14 20:22:51.0140 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/14 20:22:51.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/14 20:22:51.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/14 20:22:51.0312 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/14 20:22:51.0390 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/14 20:22:51.0406 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/14 20:22:51.0468 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2010/11/14 20:22:51.0578 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/11/14 20:22:51.0671 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/14 20:22:51.0718 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\drivers\Serial.sys

2010/11/14 20:22:51.0781 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/14 20:22:51.0859 SI3132 (716a724a447c559f122ea140d636fa48) C:\WINDOWS\system32\DRIVERS\SI3132.sys

2010/11/14 20:22:51.0890 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys

2010/11/14 20:22:51.0921 SiRemFil (62fd549acf2943f89612a8777295fa57) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys

2010/11/14 20:22:51.0968 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/11/14 20:22:52.0015 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys

2010/11/14 20:22:52.0078 SonyImgF (fb77021110eaa16ea6e0961c844ef0d2) C:\WINDOWS\system32\DRIVERS\SonyImgF.sys

2010/11/14 20:22:52.0171 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/14 20:22:52.0234 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/14 20:22:52.0296 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/14 20:22:52.0468 STHDA (c80ec509026f6cc88486742083386ff6) C:\WINDOWS\system32\drivers\sthda.sys

2010/11/14 20:22:52.0578 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/11/14 20:22:52.0609 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/14 20:22:52.0656 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/14 20:22:52.0890 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/14 20:22:53.0031 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/14 20:22:53.0078 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/14 20:22:53.0140 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/14 20:22:53.0187 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/14 20:22:53.0296 ti21sony (3106074a87bd5a16e2a3af6902bb6d91) C:\WINDOWS\system32\drivers\ti21sony.sys

2010/11/14 20:22:53.0390 toshidpt (e362d54fd394999c4178936396664e57) C:\WINDOWS\system32\drivers\Toshidpt.sys

2010/11/14 20:22:53.0546 tosporte (d626e0af9232d8799d3a449530f3c220) C:\WINDOWS\system32\DRIVERS\tosporte.sys

2010/11/14 20:22:53.0609 Tosrfbd (0ec5206059d97a8dc785be73fb457ec7) C:\WINDOWS\system32\Drivers\tosrfbd.sys

2010/11/14 20:22:53.0687 Tosrfbnp (33498b8f0b2ca549c2b7ffc1b3c0f1bc) C:\WINDOWS\system32\Drivers\tosrfbnp.sys

2010/11/14 20:22:53.0796 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys

2010/11/14 20:22:53.0890 Tosrfhid (5dbf390aab62dd0d4d43a9278614e001) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys

2010/11/14 20:22:53.0937 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys

2010/11/14 20:22:54.0000 TosRfSnd (0d86d15caff2b3203c785d604ec7c942) C:\WINDOWS\system32\drivers\TosRfSnd.sys

2010/11/14 20:22:54.0015 Tosrfusb (c582b7716f0be7e65505365f4f941587) C:\WINDOWS\system32\Drivers\tosrfusb.sys

2010/11/14 20:22:54.0078 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/14 20:22:54.0171 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/14 20:22:54.0343 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/14 20:22:54.0406 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/14 20:22:54.0468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/14 20:22:54.0531 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/14 20:22:54.0578 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/14 20:22:54.0609 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/14 20:22:54.0640 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/14 20:22:54.0765 usbvm321 (c7f4158ea3915f4194aee233ff8d4728) C:\WINDOWS\system32\Drivers\usbvm321.sys

2010/11/14 20:22:54.0812 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys

2010/11/14 20:22:54.0937 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/14 20:22:55.0046 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/14 20:22:55.0312 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys

2010/11/14 20:22:55.0515 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/14 20:22:55.0671 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/14 20:22:55.0828 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/11/14 20:22:55.0968 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/11/14 20:22:56.0109 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/11/14 20:22:56.0265 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/14 20:22:56.0328 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/14 20:22:56.0671 ================================================================================

2010/11/14 20:22:56.0671 Scan finished

2010/11/14 20:22:56.0671 ================================================================================

Link to post
Share on other sites

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 10-11-12.06 - cintia 11/14/2010 21:15:30.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1022.511 [GMT 1:00]

Eseguito da: c:\documents and settings\cintia\Desktop\TnT.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Dati applicazioni\0129ac

c:\documents and settings\All Users\Dati applicazioni\0129ac\0129ac24ad3b824f239593b0cf6021cb.ocx

c:\documents and settings\All Users\Dati applicazioni\0129ac\2345.mof

c:\documents and settings\All Users\Dati applicazioni\0129ac\BackUp\Adobe Gamma Loader.lnk

c:\documents and settings\All Users\Dati applicazioni\0129ac\BackUp\Avvio veloce di Adobe Reader.lnk

c:\documents and settings\All Users\Dati applicazioni\0129ac\BackUp\Bluetooth Manager.lnk

c:\documents and settings\All Users\Dati applicazioni\0129ac\BackUp\NewShortcut1.lnk

c:\documents and settings\All Users\Dati applicazioni\0129ac\SME.ico

c:\documents and settings\All Users\Dati applicazioni\0129ac\wgbtm9q01u8zn1fjvxjgdg.dll

c:\documents and settings\cintia\Dati applicazioni\download2

c:\documents and settings\cintia\Preferiti\Videos.url

c:\documents and settings\cintia\Recent\ANTIGEN.tmp

c:\documents and settings\cintia\Recent\cb.sys

c:\documents and settings\cintia\Recent\DBOLE.dll

c:\documents and settings\cintia\Recent\ddv.dll

c:\documents and settings\cintia\Recent\eb.exe

c:\documents and settings\cintia\Recent\exec.exe

c:\documents and settings\cintia\Recent\exec.sys

c:\documents and settings\cintia\Recent\fan.dll

c:\documents and settings\cintia\Recent\FS.drv

c:\documents and settings\cintia\Recent\grid.sys

c:\documents and settings\cintia\Recent\kernel32.dll

c:\documents and settings\cintia\Recent\pal.exe

c:\documents and settings\cintia\Recent\pal.sys

c:\documents and settings\cintia\Recent\PE.dll

c:\documents and settings\cintia\Recent\PE.exe

c:\documents and settings\cintia\Recent\PE.tmp

c:\documents and settings\cintia\Recent\tjd.drv

.

((((((((((((((((((((((((( Files Creati Da 2010-10-14 al 2010-11-14 )))))))))))))))))))))))))))))))))))

.

2010-11-14 08:03 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2010-11-14 08:03 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-14 08:03 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-11-14 08:02 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-11-14 08:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-11-13 15:38 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-11-13 15:37 . 2010-11-13 15:37 -------- d-----w- c:\programmi\Panda Security

2010-11-13 15:20 . 2010-11-13 15:20 -------- d-----w- c:\documents and settings\cintia\Impostazioni locali\Dati applicazioni\Mozilla

2010-11-13 06:48 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-11-13 06:48 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-11-13 06:48 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-11-13 06:48 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-11-13 06:48 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-11-13 06:48 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-11-13 06:48 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-11-13 06:48 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr

2010-11-13 06:48 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-11-12 06:17 . 2010-11-12 06:17 -------- d-----w- c:\programmi\Secunia

2010-11-11 23:46 . 2010-11-11 23:46 -------- d-----w- c:\programmi\Glary Utilities

2010-11-11 21:12 . 2010-11-11 21:12 -------- d-----w- c:\documents and settings\cintia\Dati applicazioni\Malwarebytes

2010-11-11 21:11 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-11 21:11 . 2010-11-11 21:11 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-11-11 21:11 . 2010-11-11 21:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes

2010-11-11 21:11 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-11 09:28 . 2010-11-11 09:28 -------- d-sh--w- c:\documents and settings\All Users\Dati applicazioni\SMFOVELE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 11:23 . 2006-03-20 05:30 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-03-20 05:30 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-03-20 05:30 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-03-20 05:30 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:49 . 2006-03-20 05:30 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:49 . 2006-03-20 05:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:49 . 2006-03-20 05:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2006-03-20 05:29 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-09-01 07:54 . 2006-03-20 05:30 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2006-03-20 05:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:58 . 2006-03-20 05:30 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-27 01:43 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-26 13:39 . 2006-03-20 05:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-23 16:12 . 2006-03-20 05:29 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2006-03-20 05:30 58880 ----a-w- c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\documents and settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\programmi\Apoint\Apoint.exe" [2004-11-17 118784]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-17 64512]

"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]

"VAIOCameraUtility"="c:\programmi\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]

"SonyPowerCfg"="c:\programmi\Sony\VAIO Power Management\SPMgr.exe" [2005-12-13 217088]

"ISBMgr.exe"="c:\programmi\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"Switcher.exe"="c:\programmi\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]

"Adobe Photo Downloader"="c:\programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 57344]

"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-01-31 385024]

"VAIO Update 4"="c:\programmi\Sony\VAIO Update 4\VAIOUpdt.exe" [2008-08-24 870240]

"Acrobat Assistant 7.0"="c:\programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]

"VodafoneVMCLiteLauncher"="c:\programmi\Vodafone\VMCLite\\VodafoneVMCLiteLauncher.exe" [2007-10-17 102400]

"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"avast5"="c:\programmi\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\

Adobe Gamma Loader.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-10 113664]

Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-2 1753088]

NewShortcut1.lnk - c:\programmi\Vodafone\VMCLite\VodafoneVMCLiteLauncher.exe [2007-10-17 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-06-30 11:12 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"9461:TCP"= 9461:TCP:Services

"9460:TCP"= 9460:TCP:Services

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/13/2010 4:38 PM 28552]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/13/2010 7:48 AM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/13/2010 7:48 AM 17744]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [3/20/2006 6:31 AM 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/20/2006 6:31 AM 808448]

S3 ONDAUsbDiag;ONDA USB Diagnostics Port;c:\windows\system32\DRIVERS\ONDAUsbDiag.sys --> c:\windows\system32\DRIVERS\ONDAUsbDiag.sys [?]

S3 ONDAUsbModem;ONDA USB MODEM DRIVER;c:\windows\system32\DRIVERS\ONDAUsbModem.sys --> c:\windows\system32\DRIVERS\ONDAUsbModem.sys [?]

S3 ONDAUsbNmea;ONDA USB NMEA Port;c:\windows\system32\DRIVERS\ONDAUsbNmea.sys --> c:\windows\system32\DRIVERS\ONDAUsbNmea.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 3:05 PM 14904]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - klmd25

*Deregistered* - uphcleanhlp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

apwamhl

.

Contenuto della cartella 'Scheduled Tasks'

2010-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-11-14 c:\windows\Tasks\GlaryInitialize.job

- c:\programmi\Glary Utilities\initialize.exe [2010-11-11 20:55]

2010-11-14 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-11-14 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

.

.

------- Scansione supplementare -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.repubblica.it/

uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/

uInternet Settings,ProxyServer = http=127.0.0.1:25452

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: sony-europe.com

Trusted Zone: sonystyle-europe.com

Trusted Zone: vaio-link.com

Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\programmi\Invitrogen\Vector NTI Advance 10\Ncbi.dll

FF - ProfilePath - c:\documents and settings\cintia\Dati applicazioni\Mozilla\Firefox\Profiles\bn6oi4r2.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 25452

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\windows\system32\NPTNGPlayer.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - CHIAVI ORFANE RIMOSSE - - - -

Toolbar-Locked - (no file)

**************************************************************************

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo

Files nascosti:

**************************************************************************

.

--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-609190371-2126594441-3192560598-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-609190371-2126594441-3192560598-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (S-1-5-21-609190371-2126594441-3192560598-1006)

@Allowed: (Read) (S-1-5-21-609190371-2126594441-3192560598-1006)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"9461:TCP"=-
"9460:TCP"=-

FireFox::
network.proxy.http - 127.0.0.1
network.proxy.http_port - 25452
network.proxy.type - 0

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 10-11-12.06 - cintia 11/14/2010 21:55:52.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1022.517 [GMT 1:00]

Eseguito da: c:\documents and settings\cintia\Desktop\TnT.exe

Opzioni usate :: c:\documents and settings\cintia\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Creati Da 2010-10-14 al 2010-11-14 )))))))))))))))))))))))))))))))))))

.

2010-11-14 20:11 . 2010-11-14 20:22 -------- d-----w- C:\TnT

2010-11-14 08:03 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2010-11-14 08:03 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-14 08:03 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-11-14 08:02 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-11-14 08:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-11-13 15:38 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-11-13 15:37 . 2010-11-13 15:37 -------- d-----w- c:\programmi\Panda Security

2010-11-13 15:20 . 2010-11-13 15:20 -------- d-----w- c:\documents and settings\cintia\Impostazioni locali\Dati applicazioni\Mozilla

2010-11-13 06:48 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-11-13 06:48 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-11-13 06:48 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-11-13 06:48 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-11-13 06:48 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-11-13 06:48 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-11-13 06:48 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-11-13 06:48 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr

2010-11-13 06:48 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-11-12 06:17 . 2010-11-12 06:17 -------- d-----w- c:\programmi\Secunia

2010-11-11 23:46 . 2010-11-11 23:46 -------- d-----w- c:\programmi\Glary Utilities

2010-11-11 21:12 . 2010-11-11 21:12 -------- d-----w- c:\documents and settings\cintia\Dati applicazioni\Malwarebytes

2010-11-11 21:11 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-11 21:11 . 2010-11-11 21:11 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-11-11 21:11 . 2010-11-11 21:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes

2010-11-11 21:11 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-11 09:28 . 2010-11-11 09:28 -------- d-sh--w- c:\documents and settings\All Users\Dati applicazioni\SMFOVELE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 11:23 . 2006-03-20 05:30 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-03-20 05:30 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-03-20 05:30 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-03-20 05:30 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:49 . 2006-03-20 05:30 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:49 . 2006-03-20 05:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:49 . 2006-03-20 05:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2006-03-20 05:29 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-09-01 07:54 . 2006-03-20 05:30 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2006-03-20 05:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:58 . 2006-03-20 05:30 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-27 01:43 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-26 13:39 . 2006-03-20 05:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-23 16:12 . 2006-03-20 05:29 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2006-03-20 05:30 58880 ----a-w- c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\documents and settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\programmi\Apoint\Apoint.exe" [2004-11-17 118784]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-17 64512]

"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]

"VAIOCameraUtility"="c:\programmi\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]

"SonyPowerCfg"="c:\programmi\Sony\VAIO Power Management\SPMgr.exe" [2005-12-13 217088]

"ISBMgr.exe"="c:\programmi\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"Switcher.exe"="c:\programmi\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]

"Adobe Photo Downloader"="c:\programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 57344]

"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-01-31 385024]

"VAIO Update 4"="c:\programmi\Sony\VAIO Update 4\VAIOUpdt.exe" [2008-08-24 870240]

"Acrobat Assistant 7.0"="c:\programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]

"VodafoneVMCLiteLauncher"="c:\programmi\Vodafone\VMCLite\\VodafoneVMCLiteLauncher.exe" [2007-10-17 102400]

"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"avast5"="c:\programmi\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\

Adobe Gamma Loader.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-10 113664]

Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-2 1753088]

NewShortcut1.lnk - c:\programmi\Vodafone\VMCLite\VodafoneVMCLiteLauncher.exe [2007-10-17 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-06-30 11:12 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/13/2010 4:38 PM 28552]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/13/2010 7:48 AM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/13/2010 7:48 AM 17744]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [3/20/2006 6:31 AM 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/20/2006 6:31 AM 808448]

S3 ONDAUsbDiag;ONDA USB Diagnostics Port;c:\windows\system32\DRIVERS\ONDAUsbDiag.sys --> c:\windows\system32\DRIVERS\ONDAUsbDiag.sys [?]

S3 ONDAUsbModem;ONDA USB MODEM DRIVER;c:\windows\system32\DRIVERS\ONDAUsbModem.sys --> c:\windows\system32\DRIVERS\ONDAUsbModem.sys [?]

S3 ONDAUsbNmea;ONDA USB NMEA Port;c:\windows\system32\DRIVERS\ONDAUsbNmea.sys --> c:\windows\system32\DRIVERS\ONDAUsbNmea.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 3:05 PM 14904]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - uphcleanhlp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

apwamhl

.

Contenuto della cartella 'Scheduled Tasks'

2010-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-11-14 c:\windows\Tasks\GlaryInitialize.job

- c:\programmi\Glary Utilities\initialize.exe [2010-11-11 20:55]

2010-11-14 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-11-14 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

.

.

------- Scansione supplementare -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.repubblica.it/

uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/

uInternet Settings,ProxyServer = http=127.0.0.1:25452

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: sony-europe.com

Trusted Zone: sonystyle-europe.com

Trusted Zone: vaio-link.com

Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\programmi\Invitrogen\Vector NTI Advance 10\Ncbi.dll

FF - ProfilePath - c:\documents and settings\cintia\Dati applicazioni\Mozilla\Firefox\Profiles\bn6oi4r2.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 25452

FF - prefs.js: network.proxy.type - 0

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-14 22:04

Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo

Files nascosti: 0

**************************************************************************

.

--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-609190371-2126594441-3192560598-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-609190371-2126594441-3192560598-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (S-1-5-21-609190371-2126594441-3192560598-1006)

@Allowed: (Read) (S-1-5-21-609190371-2126594441-3192560598-1006)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

These Proxy settings bother me.

uInternet Settings,ProxyServer = http=127.0.0.1:25452

uInternet Settings,ProxyOverride = *.local

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 25452

Try this again

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

Disable Internet Explorer Proxy Settings and Reset TCP/IP and Winsock

Disable Internet Explorer Proxy Settings and Reset TCP/IP

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.

If you have any questions please ask before moving on.

  • Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.
  • Then save the file as "fixme.bat" to your Desktop
  • In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.
    @ECHO OFF
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
    netsh int ip reset resetlog.txt
    netsh winsock reset catalog


  • On Windows XP you can double-click the file to run it.
  • On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes
  • This will flash a black DOS box very quickly and go away, this is normal.
  • Restart your computer now.
  • Launch Internet Explorer and see if you can connect to the Internet.
  • Launch MBAM and check for Updates

Link to post
Share on other sites

as i said before, when i go and check the proxy settings in IE and firefox they are both disabled (i.e. no proxy).

ran fixme.bat, same feedback messages as before (some registry keys not found or too many paramenters).

reboot

running a complete MBAM scan, will post the log once ready

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Versione database: 5112

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/14/2010 11:27:55 PM

mbam-log-2010-11-14 (23-27-55).txt

Tipo di scansione: Scansione completa (C:\|D:\|)

Elementi esaminati: 269350

Tempo trascorso: 1 ore, 2 minuti, 33 secondi

Processi infetti in memoria: 0

Moduli di memoria infetti: 0

Chiavi di registro infette: 0

Valori di registro infetti: 0

Voci infette nei dati di registro: 0

Cartelle infette: 0

File infetti: 0

Processi infetti in memoria:

(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:

(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:

(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:

(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:

(Non sono stati rilevati elementi nocivi)

Cartelle infette:

(Non sono stati rilevati elementi nocivi)

File infetti:

(Non sono stati rilevati elementi nocivi)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.