0

Hi all,
I think I've got a rootkit infection.

What I can see on my pc is that Ads windows are started by Internet Explorer and Firefox.

Moreover there are programs that do not start and I must retry more times to start them. It happens with firefox, Internet explorer, some tools I use for my job and even with Explorer at startup. Usually the process starts (I can see it using task manager, takes some memory and the freezes). I have then to kill it manually and try to restart. After some tries I succeed to start the program.

I already made all the step you suggest before posting but the problema are still the same.

I ran Microsoft® Windows® Malicious Software Removal Tool and it didn't find anything.

I ran ATF-Cleaner.

Then I ran GMER. That is GMER Log One.

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-23 18:11:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 ST920042 rev.3.AH
Running: y2jj2xvf.exe; Driver: C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\ufroqaod.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF70B09A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF70B0940]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF70B0954]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF70B09BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF70B09E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF70B0A54]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF70B0A3E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF70B0A6A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF70B0AFE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF70B0A96]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF70B0992]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF70B0904]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF70B0918]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF70B0AD2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF70B0A28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF70B0A12]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF70B09D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF70B0ABE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF70B0AAA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF70B097E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF70B096A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF70B09FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF70B0B2D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF70B0A80]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF70B0B14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF70B0AE8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9200420AS_____________________________3.AHC___#4&3aa650ec&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

That's GMER Log Two:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-23 18:40:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 ST920042 rev.3.AH
Running: y2jj2xvf.exe; Driver: C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\ufroqaod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF70B09A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF70B0940]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF70B0954]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF70B09BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF70B09E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF70B0A54]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF70B0A3E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF70B0A6A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF70B0AFE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF70B0A96]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF70B0992]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF70B0904]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF70B0918]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF70B0AD2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF70B0A28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF70B0A12]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF70B09D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF70B0ABE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF70B0AAA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF70B097E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF70B096A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF70B09FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF70B0B2D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF70B0A80]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF70B0B14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF70B0AE8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_650_14599.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9200420AS_____________________________3.AHC___#4&3aa650ec&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\APSHook.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Programmi\File comuni\System\Ole DB\resources\1033\MSDMINE.RLL 44784 bytes executable
File C:\Programmi\File comuni\System\Ole DB\resources\1033\msmdsrv.rll 600928 bytes executable
File C:\Programmi\File comuni\System\Ole DB\resources\1033\MSOLAP80.RLL 219888 bytes executable
File C:\Programmi\File comuni\System\Ole DB\resources\1033\msolui90.rll 13600 bytes executable
File C:\Programmi\File comuni\System\Ole DB\resources\1033\OLAPUIR.RLL 12016 bytes executable
File C:\Programmi\File comuni\System\Ole DB\resources\1040\MSDMINE.RLL 50928 bytes executable
File C:\Programmi\File comuni\System\Ole DB\resources\1040\MSOLAP80.RLL 256752 bytes executable
File C:\Programmi\File comuni\System\Ole DB\resources\1040\OLAPUIR.RLL 12528 bytes executable
File C:\Programmi\File comuni\Windows Live\.cache\1a591de1ca7034\SegoeFont.msi 0 bytes

---- EOF - GMER 1.0.15 ----

After the end of the GMER Scan my system started to perform really badly and I had to restart it; it was very slow, it was not possible to installa MBAM or save a file.

After rebooting I started MBAM, here it is the log result:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versione database: 6145

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

23/03/2011 23.03.55
mbam-log-2011-03-23 (23-03-44).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 485579
Tempo trascorso: 2 ore, 21 minuti, 56 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 1
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
(Non sono stati rilevati elementi nocivi)

4
Contributors
14
Replies
17
Views
6 Years
Discussion Span
Last Post by mazekx
0

I also run DDS but file produced say to not post the content unless requested, so I will wait for it.

Thanks a lot for the help you will give me.

Vincenzo.

-1

First of all did you run a full scan with MBAM ? Or just a "Quick Scan" ? I assume that you are using a free version of MBAM since you have not already run a "Flash Scan".

Anyhow. PUM stands for "Potentially Unwanted Modificatiom" . Which can be a result of malware but can also be a result of operator modifications. It is ok to remove them .

Edited by jholland1964: Unnecessary links removed.

Votes + Comments
You previously have been told, There are procedures that we have set here for those with problems have to follow, those procedures are still in place today
0

gunny:
That was a complete scan done with MBA-M.

If there IS a rootkit on the computer then the DDS log may show it Let's wait for all the logs requested in our sticky to be posted and then go from there.

Now to mazekx
Please do not post logs in Quotes, that makes them nearly unreadable. They must be copy/pasted.

Before running any other tools please post both of the logs produced by the DDS Scanner.

There are no instructions which say do not post the DDS logs, we wouldn't ask that you run them if we didn't want to see the logs.

Do not Attach either one, both must be copy/pasted and please don't quote them, post them.

Edited by jholland1964: n/a

0

Thanks both for your reply.

@jholland: Here the logs are (notice the beginning of the attach.txt file :P )
@gunny: I would also agree with you about mcafee (even if it has been my first antivirus in 90s) but anyway I can't unistall it because it is a corporate tool and I haven't right to uninstall it nor stop it (even if I am the administrator of my pc)

regards
VIncenzo.

DDS.txt:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 10.47.56,26 on 24/03/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2031.808 [GMT 1:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\httpd.exe
C:\Programmi\Intel\AMT\atchksrv.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\Juniper Networks\Common Files\dsNcService.exe
C:\Programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\xampp\apache\bin\httpd.exe
C:\Programmi\Intel\AMT\LMS.exe
C:\Programmi\McAfee\VirusScan Enterprise\engineserver.exe
C:\Programmi\McAfee\Common Framework\FrameworkService.exe
C:\Programmi\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\lotus\notes\ntmulti.exe
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SupportAppXL\onda_mon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\Intel\AMT\UNS.exe
C:\Programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Programmi\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Programmi\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Programmi\Intel\AMT\atchk.exe
C:\Programmi\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Programmi\Hewlett-Packard\Shared\HpqToaster.exe
C:\Programmi\McAfee\Common Framework\udaterui.exe
C:\Programmi\Real\RealPlayer\update\realsched.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programmi\McAfee\Common Framework\McTray.exe
C:\Programmi\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Programmi\Windows Live\Mail\wlmail.exe
C:\Programmi\Windows Live\Contacts\wlcomm.exe
c:\centenn.ial\audit\lpx86.exe
C:\Programmi\TrueCrypt\TrueCrypt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Java\jre6\bin\javaw.exe
C:\Programmi\Java\jre1.6.0\bin\javaw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Programmi\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Administrator\Desktop\daniweb\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyServer = proxy-centro.risorse.enel:8080
uInternet Settings,ProxyOverride = <local>
BHO: Supporto di collegamento per Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\dati applicazioni\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programmi\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\programmi\mcafee\virusscan enterprise\scriptsn.dll
BHO: Guida per l'accesso a Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\programmi\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
EB: IE WebDeveloper V2: {c23e2530-5555-437a-8a00-4785094c7cff} - c:\programmi\ieinspector\iewebdeveloperv2\IEWebDeveloperV2.dll
uRun: [Csuwileyocoz] rundll32.exe "c:\windows\miatil.dll",Startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{063FE004-5120-2042-71E3-DC8952D33A7B}] "c:\documents and settings\administrator\dati applicazioni\irsuty\tyodq.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAXPnP] c:\programmi\analog devices\core\smax4pnp.exe
mRun: [PTHOSTTR] c:\programmi\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [HP Software Update] c:\programmi\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\programmi\hewlett-packard\default settings\cpqset.exe
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [atchk] "c:\programmi\intel\amt\atchk.exe"
mRun: [HPWWANGSAssistant] c:\swsetup\hpqwwan\HPWWanGSAssistant.exe /TrayMode
mRun: [WatchDog] c:\programmi\intervideo\dvd check\DVDCheck.exe
mRun: [CanonSolutionMenu] c:\programmi\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\programmi\file comuni\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\programmi\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [ShStatEXE] "c:\programmi\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Discovery User Input] c:\discovery\user input\userin32.exe
mRun: [McAfeeUpdaterUI] "c:\programmi\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
mRun: [TkBellExe] "c:\programmi\real\realplayer\update\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\bttray.lnk - c:\programmi\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\ciscos~1.lnk - c:\programmi\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\dvdche~1.lnk - c:\programmi\intervideo\dvd check\DVDCheck.exe
IE: Display Toolbar and Menubar - c:\programmi\ieinspector\iewebdeveloperv2\cmd_display.html
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Invia a periferica &Bluetooth... - c:\programmi\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {C4046502-6524-4d87-896C-878F57D1FF07} - c:\programmi\pokerstars.it\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {D851CEE8-86A0-440C-B8F4-DA7DA99B5765} - {C23E2530-5555-437A-8A00-4785094C7CFF} - c:\programmi\ieinspector\iewebdeveloperv2\IEWebDeveloperV2.dll
IE: {F49F0575-88CE-4C6B-8C93-BCF153653A37} - {96CE8787-7C13-4B7C-B307-8F19A53A93D6} - c:\programmi\iedominspector\IEDOMInspector.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxp://madrid-sec01/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxp://madrid-sec01/officescan/console/html/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxp://madrid-sec01/officescan/console/html/root/AtxEnc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227689807234
DPF: {6BA21C22-53A5-463F-BBE8-5CF7FFA0132B} - hxxp://www.ocxt.com/download/officeviewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://extranet.everis.com/,DanaInfo=Milan-NS001.everis.int+dwa7W.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://extranet.everis.com/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: DeviceNP - DeviceNP.dll
Notify: OneCard - c:\programmi\hewlett-packard\iam\bin\ASWLNPkg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programmi\file comuni\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\datiap~1\mozilla\firefox\profiles\p3g5kt6h.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\administrator\dati applicazioni\mozilla\firefox\profiles\p3g5kt6h.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - component: c:\documents and settings\all users\dati applicazioni\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\dati applicazioni\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\administrator\dati applicazioni\move networks\plugins\071803000001\npqmp071803000001.dll
FF - plugin: c:\documents and settings\administrator\impostazioni locali\dati applicazioni\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\all users\dati applicazioni\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\programmi\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\programmi\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programmi\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\programmi\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\opera\program\plugins\np_gp.dll
FF - plugin: c:\programmi\opera\program\plugins\nppdf32.dll
FF - plugin: c:\programmi\opera\program\plugins\nppl3260.dll
FF - plugin: c:\programmi\opera\program\plugins\nprjplug.dll
FF - plugin: c:\programmi\opera\program\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - %profile%\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\dati applicazioni\real\realplayer\browserrecordplugin\firefox\Ext
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-2-2 344712]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-4-26 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-29 13696]
R1 NEOFLTR_650_14599;Juniper Networks TDI Filter Driver (NEOFLTR_650_14599);c:\windows\system32\drivers\NEOFLTR_650_14599.SYS [2009-12-4 77608]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-4-26 5808]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-11-27 116560]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-11-27 41424]
R3 cdprku;cdprku;c:\windows\system32\drivers\cdprku.sys [2011-3-21 25128]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-4 41216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-2 91896]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-2 43192]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-3-3 47616]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-11-27 95568]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-11-10 104016]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2007-4-23 30008]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-10-14 112640]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-10-14 7680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\f4.tmp --> c:\windows\system32\F4.tmp [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-2 66536]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys --> c:\windows\system32\drivers\ngfilter.sys [?]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys --> c:\windows\system32\drivers\nglog.sys [?]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys --> c:\windows\system32\drivers\ngvpn.sys [?]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [2010-10-15 104960]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\drivers\ONDAusbnet.sys [2010-10-15 110080]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [2010-10-15 104960]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [2010-10-15 104960]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-11-27 32016]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-10 280344]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-10-14 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2010-10-14 104960]
.
=============== File Associations ===============
.
.txt=UltraEdit.txt
.
=============== Created Last 30 ================
.
2011-03-24 09:32:49 -------- d-----w- c:\docume~1\admini~1\datiap~1\Vuynyf
2011-03-24 09:32:49 -------- d-----w- c:\docume~1\admini~1\datiap~1\Irsuty
2011-03-23 18:26:33 -------- d-----w- c:\docume~1\admini~1\datiap~1\Malwarebytes
2011-03-23 18:25:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 18:25:58 -------- d-----w- c:\docume~1\alluse~1\datiap~1\Malwarebytes
2011-03-23 18:25:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 18:25:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-03-22 16:01:16 -------- d-----w- c:\docume~1\admini~1\impost~1\datiap~1\AOL
2011-03-22 10:59:28 -------- d-----w- c:\programmi\Sophos
2011-03-22 09:33:18 98816 ----a-w- c:\windows\sed.exe
2011-03-22 09:33:18 89088 ----a-w- c:\windows\MBR.exe
2011-03-22 09:33:18 256512 ----a-w- c:\windows\PEV.exe
2011-03-22 09:33:18 161792 ----a-w- c:\windows\SWREG.exe
2011-03-22 09:32:45 -------- d-s---w- C:\ComboFix
2011-03-21 06:52:10 25128 ----a-w- c:\windows\system32\drivers\cdprku.sys
2011-03-19 21:19:42 -------- d-----w- c:\windows\pss
2011-03-15 11:13:11 53248 ----a-w- c:\temp\xdmclient-1.6.9\xdm.exe
2011-03-15 11:13:10 81920 ----a-w- c:\temp\xdmclient-1.6.9\plugins\org.eclipse.equinox.launcher.win32.win32.x86_1.0.101\eclipse_1115.dll
2011-03-14 16:48:07 -------- d-----w- c:\documents and settings\administrator\xdm2
2011-03-14 16:25:40 81920 ----a-w- c:\temp\xdm_client\plugins\org.eclipse.equinox.launcher.win32.win32.x86_1.0.101\eclipse_1115.dll
2011-03-14 16:22:38 53248 ----a-w- c:\temp\xdm_client\xdm.exe
2011-03-14 13:50:20 -------- d-----w- c:\documents and settings\administrator\xdm
2011-03-13 18:31:53 -------- d-----w- c:\programmi\foobar2000
2011-03-12 11:28:40 103864 ----a-w- c:\programmi\mozilla firefox\plugins\nppdf32.dll
2011-03-12 11:28:40 103864 ----a-w- c:\programmi\internet explorer\plugins\nppdf32.dll
2011-03-10 22:31:33 -------- d-----w- C:\Quarantine
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST920042 rev.3.AH -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x89C6E439]<<
c:\windows\system32\drivers\hpdskflt.sys Hewlett-Packard Corporation Hewlett-Packard Corporation Mobile Data Protection System
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89c747d0]; MOV EAX, [0x89c7484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A62A030]
3 CLASSPNP[0xF74F7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89C7F548]
5 hpdskflt[0xF7518FFD] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000be[0x8A64C958]
7 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A5DE030]
\Driver\iaStor[0x8A5E1CC0] -> IRP_MJ_CREATE -> 0x89C6E439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9200420AS_____________________________3.AHC___#4&3aa650ec&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 390721966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 10.51.11,45 ===============

Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 25/11/2008 17.02.18
System Uptime: 24/03/2011 8.23.04 (2 hours ago)
.
Motherboard: Hewlett-Packard | | 30C5
Processor: Processore Intel Pentium III Xeon | U10 | 2493/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 178 GiB total, 36,156 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 8 GiB total, 8,209 GiB free.
X: is FIXED (NTFS) - 20 GiB total, 8,87 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
AC3Filter 1.62b
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.4.3 - Italiano
ADSL modem
Aggiornamento della protezione per Step by Step Interactive Training (KB923723)
Aggiornamento della protezione per Windows Internet Explorer 7 (KB938127-v2)
Aggiornamento della protezione per Windows Internet Explorer 7 (KB974455)
Aggiornamento della protezione per Windows Media Player (KB911564)
Aggiornamento della protezione per Windows Media Player (KB952069)
Aggiornamento della protezione per Windows Media Player (KB954155)
Aggiornamento della protezione per Windows Media Player (KB968816)
Aggiornamento della protezione per Windows Media Player (KB973540)
Aggiornamento della protezione per Windows Media Player 11 (KB936782)
Aggiornamento della protezione per Windows Media Player 11 (KB954154)
Aggiornamento della protezione per Windows Media Player 6.4 (KB925398)
Aggiornamento della protezione per Windows Media Player 9 (KB911565)
Aggiornamento della protezione per Windows Media Player 9 (KB917734)
Aggiornamento della protezione per Windows XP (KB923561)
Aggiornamento della protezione per Windows XP (KB923689)
Aggiornamento della protezione per Windows XP (KB923789)
Aggiornamento della protezione per Windows XP (KB938464)
Aggiornamento della protezione per Windows XP (KB941569)
Aggiornamento della protezione per Windows XP (KB946648)
Aggiornamento della protezione per Windows XP (KB950762)
Aggiornamento della protezione per Windows XP (KB950974)
Aggiornamento della protezione per Windows XP (KB951066)
Aggiornamento della protezione per Windows XP (KB951376-v2)
Aggiornamento della protezione per Windows XP (KB951698)
Aggiornamento della protezione per Windows XP (KB951748)
Aggiornamento della protezione per Windows XP (KB952004)
Aggiornamento della protezione per Windows XP (KB952954)
Aggiornamento della protezione per Windows XP (KB954211)
Aggiornamento della protezione per Windows XP (KB954459)
Aggiornamento della protezione per Windows XP (KB955069)
Aggiornamento della protezione per Windows XP (KB956390)
Aggiornamento della protezione per Windows XP (KB956391)
Aggiornamento della protezione per Windows XP (KB956572)
Aggiornamento della protezione per Windows XP (KB956744)
Aggiornamento della protezione per Windows XP (KB956802)
Aggiornamento della protezione per Windows XP (KB956803)
Aggiornamento della protezione per Windows XP (KB956841)
Aggiornamento della protezione per Windows XP (KB956844)
Aggiornamento della protezione per Windows XP (KB957095)
Aggiornamento della protezione per Windows XP (KB957097)
Aggiornamento della protezione per Windows XP (KB958644)
Aggiornamento della protezione per Windows XP (KB958687)
Aggiornamento della protezione per Windows XP (KB958869)
Aggiornamento della protezione per Windows XP (KB959426)
Aggiornamento della protezione per Windows XP (KB960225)
Aggiornamento della protezione per Windows XP (KB960803)
Aggiornamento della protezione per Windows XP (KB960859)
Aggiornamento della protezione per Windows XP (KB961371-v2)
Aggiornamento della protezione per Windows XP (KB961501)
Aggiornamento della protezione per Windows XP (KB969059)
Aggiornamento della protezione per Windows XP (KB969947)
Aggiornamento della protezione per Windows XP (KB970238)
Aggiornamento della protezione per Windows XP (KB971486)
Aggiornamento della protezione per Windows XP (KB971557)
Aggiornamento della protezione per Windows XP (KB971633)
Aggiornamento della protezione per Windows XP (KB971657)
Aggiornamento della protezione per Windows XP (KB971961)
Aggiornamento della protezione per Windows XP (KB973354)
Aggiornamento della protezione per Windows XP (KB973507)
Aggiornamento della protezione per Windows XP (KB973525)
Aggiornamento della protezione per Windows XP (KB973869)
Aggiornamento della protezione per Windows XP (KB974112)
Aggiornamento della protezione per Windows XP (KB974571)
Aggiornamento della protezione per Windows XP (KB975025)
Aggiornamento della protezione per Windows XP (KB975467)
Aggiornamento per Windows XP (KB951072-v2)
Aggiornamento per Windows XP (KB951978)
Aggiornamento per Windows XP (KB961503)
Aggiornamento per Windows XP (KB967715)
Aggiornamento per Windows XP (KB968389)
Aggiornamento per Windows XP (KB973687)
Aggiornamento per Windows XP (KB973815)
Aggiornamento rapido per Windows Media Player 11 (KB939683)
Aggiornamento rapido per Windows XP (KB952287)
Aggiornamento rapido per Windows XP (KB961118)
Aggiornamento rapido per Windows XP (KB976098-v2)
Alice MOBILE_MT503HSA
Apple Application Support
Apple Software Update
Application Installer 4.00.B14
Assistente per l'accesso a Windows Live
AutoUpdate
BigForest
BIOS Configuration for HP ProtectTools
Box Shot 3D
Bulk Rename Utility 2, 7, 0, 3
Bullzip PDF Printer 6.0.0.865
Canon MP Navigator EX 1.0
Canon MX300 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
ColorPic
Credential Manager for HP ProtectTools
Device Access Manager for HP ProtectTools
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Dr. DivX 2.0 OSS
Drive Encryption for HP ProtectTools
EASEUS Data Recovery Wizard Free Edition 5.0.1
eboost
EPSON Scan
EPSON SX100 Series Printer Uninstall
foobar2000 v1.1.5
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
Google Chrome
Google Update Helper
GPL Ghostscript Lite 8.64
Hard Disk Low Level Format Tool 2.36 build 1181
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB954550-v5)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB945282)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB946040)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB946308)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB946344)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB946581)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB947540)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB947789)
Hotfix per Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA (KB951708)
HP 3D DriveGuard
HP Broadband Wireless Modules
HP Doc Viewer
HP Help and Support
HP Integrated Module with Bluetooth wireless technology
HP Notebook Accessories Product Tour
HP ProtectTools Security Manager
HP Quick Launch Buttons 6.40 B2
HP Update
HP User Guide Bluetooth Addendum 0062
HP User Guides 0061
HP Wireless Assistant
HP WWAN Setup Utility
IcoFX 1.6.4
IE DOM Inspector V1.5.3
IE WebDeveloper V2.4.1
inSSIDer
Installazione Guidata Alice
Installer HP Backup and Recovery Manager
Intel(R) Active Management Technology Device Software
Intel(R) Management Engine Interface
Intel(R) PRO Network Connections Drivers
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
J-Accise
J2SE Runtime Environment 5.0 Update 19
Java DB 10.5.3.0
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Java(TM) SE Runtime Environment 6
jEdit 4.2
Juniper Networks Network Connect 6.5.0
Juniper Networks Secure Application Manager
Juniper Networks Setup Client
Junk Mail filter update
L&H Power Translator Pro 7.0
LightScribe 1.6.43.1
LiveZilla
Lotus Notes 7.0.3
Malwarebytes' Anti-Malware
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Italian Language Pack
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - ITA
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - ITA
Microsoft .NET Framework 3.5 - Language Pack SP1 (italiano)
Microsoft .NET Framework 3.5 Language Pack SP1 - ita
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (Italian) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Italian) 2007
Microsoft Office Groove MUI (Italian) 2007
Microsoft Office InfoPath MUI (Italian) 2007
Microsoft Office OneNote MUI (Italian) 2007
Microsoft Office Outlook MUI (Italian) 2007
Microsoft Office PowerPoint MUI (Italian) 2007
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (Italian) 2007
Microsoft Office Project Standard 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (Italian) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (Italian) 2007
Microsoft Office Shared MUI (Italian) 2007
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (Italian) 2007
Microsoft Office Visio Standard 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (Italian) 2007
Microsoft Office Word MUI (Italian) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (Italian) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English) (February 2007)
Microsoft SQL Server 2005 Tools
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Database Publishing Wizard 1.3
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Visual Studio 2005 Premier Partner Edition - ENU Service Pack 1 (KB926601)
Microsoft Visual Studio Web Authoring Component
Microsoft Visual Web Developer 2008 Express Edition SP1 - ITA
Microsoft Visual Web Developer 2008 Express Edition with SP1 - ITA
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Web - ita
Move Media Player
Mozilla Firefox (3.6.15)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
MySQL Tools for 5.0
NVIDIA Drivers
Opera 11.01
Oracle Data Provider for .NET Help
PL/SQL Developer
PokerStars.it
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Registrazione utente Canon MX300 series
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Roxio Update Manager
Safari
ScanSoft OmniPage SE 4
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB2434737)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Service Pack 3 for SQL Server Database Services 2005 ENU (KB955706)
Service Pack 3 for SQL Server Tools and Workstation Components 2005 ENU (KB955706)
Skype Toolbars
Skype™ 5.1
SmartFTP Client
SmartFTP Client 4.0 Setup Files (remove only)
SmartFTP Client Italian (Italy) MUI
Soft Data Fax Modem with SmartCP
Sonic Activation Module
Sophos Anti-Rootkit 1.5.4
SoundMAX
SQL Server System CLR Types
SQLXML4
Strumento di caricamento di Windows Live
Sun VirtualBox
Synaptics Pointing Device Driver
TrueCrypt
UltraCompare v6.40
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Visual Studio Web Authoring Component (KB945140)
Update for Outlook 2007 Junk Email Filter (KB2508979)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.3
Vodafone Mobile Connect Lite
VPN Client
WebFldrs XP
WinCvs 2.0
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip
XML Copy Editor 1.1.0.4-2
XML Paper Specification Shared Components Language Pack 1.0
.
==== End Of File ===========================

Edited by mazekx: n/a

0

Hello, Mazekx, yes, you do have a rootkit and associated infection.
TDSSKiller
==Download tdsskiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
Start TDSSKiller via this command, NOT the icon:
"%userprofile%\desktop\tdsskiller.exe" -l C:\tdssrpt.txt <==paste this into Start, Run...
- click Scan. If TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required]; press Continue also on Skip prompt. Do not delete or quarantine any files.
Post the log from C:\.

Because we are speaking different languages and because you have a corporate computer, there may be softwares that I am not familiar with... so please examine these files and folders - if they are NOT familiar to you then follow the instructions below:
c:\documents and settings\administrator\dati applicazioni\irsuty\tyodq.exe
c:\docume~1\admini~1\datiap~1\Vuynyf
c:\docume~1\admini~1\datiap~1\Irsuty
c:\windows\miatil.dll

If, as I suspect, they are unknown to you then:
==Please copy the text in the box to a Notepad [format/wordwrap unchecked] and save as fixkey.bat to your desktop; dclick it to run...

reg delete HKCU\software\microsoft\windows\currentversion\run /v Csuwileyocoz /f
reg delete HKCU\software\microsoft\windows\currentversion\run /v {063FE004-5120-2042-71E3-DC8952D33A7B} /f

Delete these folder/files:
c:\documents and settings\administrator\dati applicazioni\irsuty\tyodq.exe
c:\docume~1\admini~1\datiap~1\Vuynyf
c:\docume~1\admini~1\datiap~1\Irsuty
c:\windows\miatil.dll

Go to Control Panel, Add/Remove Pgms and remove all old versions of Java. [6.0.24 is current]. Wait until your system is clean before installing the latest version.
Could you post the log from that Combofix run also? Thanks...

Edited by gerbil: n/a

0

gerbil, I do not know those file so I deleted them. miatill.dll has been deleted meanwhile by mcafee and I am currently get an error on startup because of this missimg dll. I suppose your "reg delete"s will solve it.

I uninstalled old Java versions (but I would need to reinstall the last version very early because I use it for my job).

I do not have the combofix log. Have I to execute it to get one?

I executed TDS Killer. Here the log is:

2011/03/25 13:12:02.0062 4416 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/25 13:12:02.0406 4416 ================================================================================
2011/03/25 13:12:02.0406 4416 SystemInfo:
2011/03/25 13:12:02.0406 4416
2011/03/25 13:12:02.0406 4416 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/25 13:12:02.0406 4416 Product type: Workstation
2011/03/25 13:12:02.0406 4416 ComputerName: PC164478775132
2011/03/25 13:12:02.0406 4416 UserName: Administrator
2011/03/25 13:12:02.0406 4416 Windows directory: C:\WINDOWS
2011/03/25 13:12:02.0406 4416 System windows directory: C:\WINDOWS
2011/03/25 13:12:02.0406 4416 Processor architecture: Intel x86
2011/03/25 13:12:02.0406 4416 Number of processors: 2
2011/03/25 13:12:02.0406 4416 Page size: 0x1000
2011/03/25 13:12:02.0406 4416 Boot type: Normal boot
2011/03/25 13:12:02.0406 4416 ================================================================================
2011/03/25 13:12:02.0609 4416 Initialize success
2011/03/25 13:12:04.0812 5332 ================================================================================
2011/03/25 13:12:04.0812 5332 Scan started
2011/03/25 13:12:04.0812 5332 Mode: Manual;
2011/03/25 13:12:04.0812 5332 ================================================================================
2011/03/25 13:12:05.0875 5332 Accelerometer (558a0039f0ef634397e1f61055504478) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2011/03/25 13:12:05.0968 5332 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/25 13:12:06.0000 5332 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/03/25 13:12:06.0046 5332 ADIHdAudAddService (aa77f63a33244fd94ed2bc66f710024d) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/03/25 13:12:06.0156 5332 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/03/25 13:12:06.0265 5332 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/25 13:12:06.0328 5332 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/25 13:12:06.0437 5332 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/25 13:12:06.0515 5332 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/03/25 13:12:06.0609 5332 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/25 13:12:06.0625 5332 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/25 13:12:06.0718 5332 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/25 13:12:06.0765 5332 ATSWPDRV (293e8cc3c246a89f4cca75b024ad757f) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
2011/03/25 13:12:06.0781 5332 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/25 13:12:06.0796 5332 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/25 13:12:06.0859 5332 btaudio (3aa4bf555c00c5b87fd48dd7bdbd4e97) C:\WINDOWS\system32\drivers\btaudio.sys
2011/03/25 13:12:07.0000 5332 BTKRNL (ba57f31eab93dc597d772f6f5b9ed54f) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/03/25 13:12:07.0140 5332 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/03/25 13:12:07.0218 5332 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/03/25 13:12:07.0406 5332 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/25 13:12:07.0453 5332 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/25 13:12:07.0500 5332 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/25 13:12:07.0546 5332 cdprku (0ec603300dbca6f675df4d1299d03e47) C:\WINDOWS\system32\Drivers\cdprku.sys
2011/03/25 13:12:07.0625 5332 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/25 13:12:07.0671 5332 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/25 13:12:07.0734 5332 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/25 13:12:07.0796 5332 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/03/25 13:12:07.0921 5332 CVPNDRVA (03516f6d3b8c91c919de622196a84bce) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/03/25 13:12:08.0046 5332 DAMDrv (5d5984255a4bfaa4262fb750df7cd537) C:\WINDOWS\system32\DRIVERS\DAMDrv.sys
2011/03/25 13:12:08.0093 5332 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/25 13:12:08.0140 5332 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/25 13:12:08.0281 5332 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/25 13:12:08.0421 5332 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/25 13:12:08.0453 5332 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/25 13:12:08.0500 5332 DNE (8101650993b2f79118d2bf24402c390d) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/03/25 13:12:08.0531 5332 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/25 13:12:08.0578 5332 dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
2011/03/25 13:12:08.0671 5332 e1express (ed91f1042071a36f54e7c430e130e4cd) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/03/25 13:12:08.0796 5332 ewusbnet (9032405f762f1afa92dfef99cb078306) C:\WINDOWS\system32\DRIVERS\ewusbnet.sys
2011/03/25 13:12:08.0937 5332 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/25 13:12:08.0968 5332 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/25 13:12:09.0000 5332 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/25 13:12:09.0109 5332 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/25 13:12:09.0156 5332 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/25 13:12:09.0203 5332 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/25 13:12:09.0218 5332 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/25 13:12:09.0281 5332 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/25 13:12:09.0328 5332 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2011/03/25 13:12:09.0406 5332 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/25 13:12:09.0437 5332 HECI (66fed3eeabdce17829edf4c68702ed22) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/03/25 13:12:09.0468 5332 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/25 13:12:09.0515 5332 hpdskflt (5953c0952e4dd2b25b9adef05ab0285c) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2011/03/25 13:12:09.0609 5332 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
2011/03/25 13:12:09.0703 5332 HSFHWAZL (f2c5aaae6403584fbc53053af0844411) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/03/25 13:12:09.0812 5332 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/03/25 13:12:09.0921 5332 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/25 13:12:09.0968 5332 hwdatacard (60aec3f4ec355d9f46d545a0fa08ce87) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2011/03/25 13:12:10.0093 5332 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/25 13:12:10.0187 5332 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/03/25 13:12:10.0218 5332 IFXTPM (667cfdb801df771f47b7c39373c2d850) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/03/25 13:12:10.0328 5332 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/25 13:12:10.0375 5332 IntelIde (027fe9b28fb0f861c181d25923b31e78) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/25 13:12:10.0468 5332 intelppm (ebd830a0970c438047006a49c23e287f) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/25 13:12:10.0500 5332 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/25 13:12:10.0546 5332 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/25 13:12:10.0562 5332 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/25 13:12:10.0593 5332 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/25 13:12:10.0625 5332 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/25 13:12:10.0640 5332 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/25 13:12:10.0687 5332 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/25 13:12:10.0765 5332 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/25 13:12:10.0828 5332 kbdhid (4c61c226bdda2ef1672b2c5f4e56625e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/25 13:12:10.0921 5332 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/25 13:12:10.0968 5332 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/25 13:12:11.0031 5332 massfilter (f0435fe3c1ec2659d2bbf073ca0752ee) C:\WINDOWS\system32\DRIVERS\massfilter.sys
2011/03/25 13:12:11.0156 5332 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/03/25 13:12:11.0234 5332 mfeapfk (a8d2c54c2f71f5cba7ca2734341e57e6) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/03/25 13:12:11.0312 5332 mfeavfk (28bb783d85df19e9e007e81daf40adcc) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/03/25 13:12:11.0390 5332 mfebopk (8e43e242073e9db5aa165ebe273ffd09) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/03/25 13:12:11.0484 5332 mfehidk (e94d35a2a9b175b34b995ab37216c73e) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/03/25 13:12:11.0578 5332 mferkdet (f68c9cda15114b360727fe622e4aec6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/03/25 13:12:11.0656 5332 mfetdik (78efa6fd2a486c476045eaa1d2f218b7) C:\WINDOWS\system32\drivers\mfetdik.sys
2011/03/25 13:12:11.0750 5332 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/25 13:12:11.0781 5332 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/25 13:12:11.0859 5332 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/25 13:12:11.0937 5332 mouhid (d7662f0cf5b77bbbe3202716f5bd5318) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/25 13:12:12.0000 5332 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/25 13:12:12.0062 5332 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
2011/03/25 13:12:12.0093 5332 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/25 13:12:12.0125 5332 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/25 13:12:12.0156 5332 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/25 13:12:12.0203 5332 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/25 13:12:12.0218 5332 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/25 13:12:12.0250 5332 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/25 13:12:12.0281 5332 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/25 13:12:12.0312 5332 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/25 13:12:12.0328 5332 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/25 13:12:12.0359 5332 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/25 13:12:12.0390 5332 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/25 13:12:12.0406 5332 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/25 13:12:12.0437 5332 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/25 13:12:12.0484 5332 NEOFLTR_650_14599 (04c79f778d525797926c69b51e127624) C:\WINDOWS\system32\Drivers\NEOFLTR_650_14599.SYS
2011/03/25 13:12:12.0593 5332 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/25 13:12:12.0625 5332 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/25 13:12:12.0734 5332 NETw4x32 (12b0d99865434387f784268b70e23360) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2011/03/25 13:12:12.0796 5332 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/03/25 13:12:12.0812 5332 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/25 13:12:12.0843 5332 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/25 13:12:12.0890 5332 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/25 13:12:13.0093 5332 nv (c28d307e47bc3f4fecb6ce1a738d4125) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/25 13:12:13.0250 5332 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/25 13:12:13.0265 5332 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/25 13:12:13.0296 5332 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/03/25 13:12:13.0328 5332 ONDAusbmdm6k (237bbfaec59d26fa7681679fc8c61e19) C:\WINDOWS\system32\DRIVERS\ONDAusbmdm6k.sys
2011/03/25 13:12:13.0453 5332 ONDAusbnet (5e9c5971862803962969c9437a96451b) C:\WINDOWS\system32\DRIVERS\ONDAusbnet.sys
2011/03/25 13:12:13.0515 5332 ONDAusbnmea (237bbfaec59d26fa7681679fc8c61e19) C:\WINDOWS\system32\DRIVERS\ONDAusbnmea.sys
2011/03/25 13:12:13.0609 5332 ONDAusbser6k (237bbfaec59d26fa7681679fc8c61e19) C:\WINDOWS\system32\DRIVERS\ONDAusbser6k.sys
2011/03/25 13:12:13.0734 5332 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/25 13:12:13.0843 5332 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/25 13:12:13.0890 5332 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/25 13:12:13.0937 5332 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/25 13:12:14.0015 5332 PCIIde (b2df00d650fd6c4ee781740ed3c8e67f) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/25 13:12:14.0093 5332 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/03/25 13:12:14.0281 5332 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/25 13:12:14.0296 5332 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/25 13:12:14.0328 5332 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/25 13:12:14.0375 5332 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/25 13:12:14.0546 5332 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/25 13:12:14.0578 5332 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/03/25 13:12:14.0625 5332 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/25 13:12:14.0640 5332 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/25 13:12:14.0656 5332 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/25 13:12:14.0687 5332 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/25 13:12:14.0703 5332 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/25 13:12:14.0734 5332 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/25 13:12:14.0781 5332 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/25 13:12:14.0812 5332 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/25 13:12:14.0953 5332 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/03/25 13:12:15.0000 5332 rismc32 (7c21554942bef51cbd84fd7d4e62cb9a) C:\WINDOWS\system32\DRIVERS\rismc32.sys
2011/03/25 13:12:15.0109 5332 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
2011/03/25 13:12:15.0156 5332 RsvLock (40ace983d0b03e997191ff6f7ff407d7) C:\WINDOWS\system32\drivers\RsvLock.sys
2011/03/25 13:12:15.0218 5332 SafeBoot (58a8f41e174b28843692812d55547dc3) C:\WINDOWS\system32\drivers\SafeBoot.sys
2011/03/25 13:12:15.0218 5332 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\SafeBoot.sys. md5: 58a8f41e174b28843692812d55547dc3
2011/03/25 13:12:15.0218 5332 SafeBoot - detected Locked file (1)
2011/03/25 13:12:15.0234 5332 SbAlg (f6367fb350f8e5d3f6dd8040e4c0e33b) C:\WINDOWS\system32\drivers\SbAlg.sys
2011/03/25 13:12:15.0312 5332 SbFsLock (df4a90b29b878e8cd95a1ac8f94ca954) C:\WINDOWS\system32\drivers\SbFsLock.sys
2011/03/25 13:12:15.0453 5332 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/03/25 13:12:15.0500 5332 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/25 13:12:15.0531 5332 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/25 13:12:15.0562 5332 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/25 13:12:15.0640 5332 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/03/25 13:12:15.0718 5332 SMCIRDA (f67092c18b1e1ee4d73447f293970a79) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2011/03/25 13:12:15.0812 5332 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/25 13:12:15.0859 5332 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/25 13:12:16.0015 5332 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/25 13:12:16.0078 5332 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/25 13:12:16.0109 5332 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/25 13:12:16.0250 5332 SynTP (5876072999220ef2fba1ddec86d2b97e) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/03/25 13:12:16.0312 5332 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/25 13:12:16.0375 5332 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/25 13:12:16.0437 5332 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/25 13:12:16.0468 5332 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/25 13:12:16.0500 5332 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/25 13:12:16.0593 5332 truecrypt (aceb4f4f83b895e15c8c1a2f55009783) C:\WINDOWS\system32\drivers\truecrypt.sys
2011/03/25 13:12:16.0671 5332 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/25 13:12:16.0750 5332 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/25 13:12:16.0828 5332 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/25 13:12:16.0859 5332 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/25 13:12:16.0890 5332 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/25 13:12:16.0937 5332 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/25 13:12:16.0984 5332 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/25 13:12:17.0046 5332 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/25 13:12:17.0078 5332 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/25 13:12:17.0125 5332 VBoxDrv (23d2afb408280a2bd26ed59ea7a2b9a3) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
2011/03/25 13:12:17.0234 5332 VBoxNetAdp (75a588b5dfcf2352cf8e2d235e73b668) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
2011/03/25 13:12:17.0328 5332 VBoxNetFlt (5d0425977918d42327e7b799cdb5e84a) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
2011/03/25 13:12:17.0453 5332 VBoxUSB (3e7b6e952e4439d5dd301d67485af3e1) C:\WINDOWS\system32\Drivers\VBoxUSB.sys
2011/03/25 13:12:17.0531 5332 VBoxUSBMon (df7b314c724ae258465fc862678cee65) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
2011/03/25 13:12:17.0640 5332 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/25 13:12:17.0656 5332 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/25 13:12:17.0687 5332 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/25 13:12:17.0781 5332 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2011/03/25 13:12:17.0859 5332 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/25 13:12:17.0921 5332 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/03/25 13:12:18.0015 5332 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/25 13:12:18.0093 5332 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/03/25 13:12:18.0203 5332 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/03/25 13:12:18.0265 5332 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/25 13:12:18.0281 5332 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/25 13:12:18.0343 5332 ZTEusbmdm6k (b8b466103280e45e391e876f05122607) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
2011/03/25 13:12:18.0453 5332 ZTEusbnet (911ba85906bc7602c73441502abfb565) C:\WINDOWS\system32\DRIVERS\ZTEusbnet.sys
2011/03/25 13:12:18.0546 5332 ZTEusbnmea (69774b89725ddc4781e0eeb9809f3b20) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
2011/03/25 13:12:18.0671 5332 ZTEusbser6k (b8b466103280e45e391e876f05122607) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
2011/03/25 13:12:18.0781 5332 ZTEusbvoice (b8b466103280e45e391e876f05122607) C:\WINDOWS\system32\DRIVERS\ZTEusbvoice.sys
2011/03/25 13:12:18.0906 5332 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/25 13:12:18.0906 5332 ================================================================================
2011/03/25 13:12:18.0906 5332 Scan finished
2011/03/25 13:12:18.0906 5332 ================================================================================
2011/03/25 13:12:18.0906 4736 Detected object count: 2
2011/03/25 13:13:57.0437 4736 Locked file(SafeBoot) - User select action: Skip
2011/03/25 13:13:57.0484 4736 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/25 13:13:57.0500 4736 \HardDisk0 - ok
2011/03/25 13:13:57.0500 4736 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/25 13:14:08.0218 5032 Deinitialize success

0

That is a good start. Combofix has at least been initialised at some point.... please go Start > Run, and enter..
c:\combofix /uninstall

==Download a fresh copy to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or from: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : close other applications and save work, TURN OFF your Antivirus, Antispyware and Firewall for the duration of this scan.
- to run it dclick the Combofix.exe icon and follow the prompts to start it. If you do not have it installed already, Combofix will download and install the Recovery Console on your system.
A word of caution - do not touch your mouse/keyboard until the scan has completed [your computer will restart automatically] when a log, C:\Combofix.txt , will pop onto your desktop - post that log in your next reply.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

==Download and run this rootkit scanner from http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE
-Select Report tab > Scan, tick only Drivers and Stealth Code. If the report contains anything save the file and post it.
Please comment on how the system runs.

0

Yes you are right, I ran it when I was trying to find a solution on myself but it freezes at some point and didn't produce any log, maybe because I was keeping on working on my pc while it was scanning.

You said I have to turn off my antivirus but I can't. I can just start my pc in safe mode having less antivirus processes active. Could it be the same to execute combofix in this way? I will anyway retry to stop mcafee in some manner, but let me know if I can anyway run combofix having mcafee active.

0

ComboFix contains embedded files and processes which may be recognised by your antivirus as hacking tools or trojans; your AV may delete them without prompting and so cause unpredictable results like an incomplete scan or stalling. It presents a risk you may not accept; however I see your "I can't uninstall it because it is a corporate tool and I haven't right to uninstall it nor stop it" ... in that case, because Combofix will run in Safe Mode [WITH Networking], and McAfee will not then be active, then do that.

Edited by gerbil: n/a

0

I ran Combofix and the rootkit scanner you suggested. Here logs are.

Combofix:

ComboFix 11-03-25.01 - Administrator 26/03/2011 16.36.48.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2031.1694 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\daniweb\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Esecuzione precedente -------
.
c:\documents and settings\Administrator\Dati applicazioni\OfferBox\config.dat
c:\documents and settings\Administrator\Dati applicazioni\OfferBox\config.xml
c:\documents and settings\All Users\Dati applicazioni\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\_Setup.dll
c:\documents and settings\All Users\Dati applicazioni\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.dat
c:\documents and settings\All Users\Dati applicazioni\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.exe
c:\documents and settings\All Users\Dati applicazioni\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.ico
c:\documents and settings\All Users\ntuser.pol
c:\documents and settings\vscervo\ntuser.pol
c:\programmi\INSTALL.LOG
c:\programmi\OfferBox\OfferBoxBHO.dll
E:\Autorun.inf
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Creati Da 2011-02-26 al 2011-03-26 )))))))))))))))))))))))))))))))))))
.
.
2011-03-24 09:32 . 2011-03-24 09:33 -------- d-----w- c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Adobe
2011-03-23 18:26 . 2011-03-23 18:26 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2011-03-23 18:25 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 18:25 . 2011-03-23 18:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-03-23 18:25 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 18:25 . 2011-03-23 18:26 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-03-22 16:01 . 2011-03-22 16:01 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\AOL
2011-03-22 10:59 . 2011-03-22 10:59 -------- d-----w- c:\programmi\Sophos
2011-03-21 06:52 . 2011-03-21 06:52 25128 ----a-w- c:\windows\system32\drivers\cdprku.sys
2011-03-15 11:13 . 2010-11-29 11:53 53248 ----a-w- c:\temp\xdmclient-1.6.9\xdm.exe
2011-03-15 11:13 . 2008-08-08 14:08 81920 ----a-w- c:\temp\xdmclient-1.6.9\plugins\org.eclipse.equinox.launcher.win32.win32.x86_1.0.101\eclipse_1115.dll
2011-03-14 16:25 . 2008-08-08 14:08 81920 ----a-w- c:\temp\XDM_Client\plugins\org.eclipse.equinox.launcher.win32.win32.x86_1.0.101\eclipse_1115.dll
2011-03-14 16:22 . 2010-11-29 11:53 53248 ----a-w- c:\temp\XDM_Client\xdm.exe
2011-03-14 13:50 . 2011-03-14 13:50 -------- d-----w- c:\documents and settings\Administrator\xdm
2011-03-13 18:31 . 2011-03-13 18:31 -------- d-----w- c:\programmi\foobar2000
2011-03-12 11:28 . 2011-03-12 11:28 103864 ----a-w- c:\programmi\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 11:28 . 2011-03-12 11:28 103864 ----a-w- c:\programmi\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 22:31 . 2011-03-22 12:29 -------- d-----w- C:\Quarantine
2011-03-03 10:03 . 2011-03-03 10:03 -------- d-----w- c:\programmi\File comuni\Skype
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 18:07 . 2010-02-02 10:33 23864 ----a-w- c:\programmi\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-25 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-25 81920]
"nwiz"="nwiz.exe" [2007-05-25 1626112]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"HP Software Update"="c:\programmi\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Cpqset"="c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"atchk"="c:\programmi\Intel\AMT\atchk.exe" [2007-05-01 404248]
"HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-05-03 4032056]
"WatchDog"="c:\programmi\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"CanonSolutionMenu"="c:\programmi\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"SSBkgdUpdate"="c:\programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\programmi\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"ShStatEXE"="c:\programmi\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-25 124224]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2010-01-24 241664]
"McAfeeUpdaterUI"="c:\programmi\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"AdslTaskBar"="stmctrl.dll" [2003-01-22 151552]
"TkBellExe"="c:\programmi\Real\RealPlayer\update\realsched.exe" [2011-01-05 274608]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
Cisco Systems VPN Client.lnk - c:\programmi\Cisco Systems\VPN Client\vpngui.exe [2009-12-10 1528880]
DVD Check.lnk - c:\programmi\InterVideo\DVD Check\DVDCheck.exe [2008-11-25 192512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 07:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2915997116-4131603029-1789207793-41665\Scripts\Logon\0\0]
"Script"=cambiar administrado por.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2915997116-4131603029-1789207793-41665\Scripts\Logon\1\0]
"Script"=SitiosdeConfianza.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 21:07 932288 ----a-r- c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\programmi\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-22 08:57 136176 ----atw- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 12:26 484904 ----a-w- c:\programmi\File comuni\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-01-05 15:19 274608 ----a-w- c:\programmi\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\eboost\\eboost.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Programmi\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Programmi\\Opera\\opera.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [26/04/2007 19.23.06 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09/10/2006 13.31.46 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [29/03/2007 16.54.00 13696]
R1 NEOFLTR_650_14599;Juniper Networks TDI Filter Driver (NEOFLTR_650_14599);c:\windows\system32\drivers\NEOFLTR_650_14599.SYS [04/12/2009 11.15.00 77608]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [04/04/2007 20.16.20 41216]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [27/11/2009 15.17.44 95568]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [10/11/2009 14.53.54 104016]
S1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [26/04/2007 19.23.36 5808]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [27/11/2009 15.17.45 116560]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [27/11/2009 15.17.37 41424]
S2 AMService;AMService;c:\windows\TEMP\fvka\setup.exe run --> c:\windows\TEMP\fvka\setup.exe run [?]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [28/11/2009 19.22.54 24640]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe -k Cognizance [19/08/2004 9.00.00 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe -k Cognizance [19/08/2004 9.00.00 14336]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27/04/2007 10.58.58 221184]
S2 McAfeeEngineService;McAfee Engine Service;c:\programmi\McAfee\VirusScan Enterprise\engineserver.exe [25/08/2010 19.07.00 22816]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [02/02/2010 11.31.54 69192]
S2 ONDA Autorun CDROM Monitor;ONDA Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\onda_mon.exe [15/10/2010 13.29.09 86016]
S2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [04/12/2006 16.13.16 292384]
S2 UNS;Intel(R) Active Management Technology User Notification Service;c:\programmi\Intel\AMT\UNS.exe [25/11/2008 17.13.49 1489688]
S3 cdprku;cdprku;c:\windows\system32\drivers\cdprku.sys [21/03/2011 7.52.10 25128]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [23/04/2007 13.13.44 30008]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [14/10/2010 8.33.48 112640]
S3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [30/04/2007 8.28.34 172131]
S3 LanProbe;LanProbe;c:\centenn.ial\AUDIT\lpx86.exe [08/04/2010 12.00.24 229888]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [14/10/2010 17.36.17 7680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\F4.tmp --> c:\windows\system32\F4.tmp [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [02/02/2010 11.31.54 66536]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys --> c:\windows\system32\DRIVERS\ngfilter.sys [?]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys --> c:\windows\system32\DRIVERS\nglog.sys [?]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys --> c:\windows\system32\DRIVERS\ngvpn.sys [?]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [15/10/2010 13.29.46 104960]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\drivers\ONDAusbnet.sys [15/10/2010 13.29.46 110080]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [15/10/2010 13.29.46 104960]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [15/10/2010 13.29.46 104960]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [03/03/2008 8.30.55 47616]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [27/11/2009 15.17.40 32016]
S3 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [04/11/2008 10.39.20 14336]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [14/10/2010 17.37.03 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [14/10/2010 17.36.47 104960]
S4 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [20/01/2010 12.44.10 135664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\programmi\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [02/12/2006 6.17.54 2805000]
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - MDMXSDK
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 12:23 452136 ----a-w- c:\programmi\File comuni\LightScribe\LSRunOnce.exe
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3031277105-2404189269-3624577345-500.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
2011-03-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3031277105-2404189269-3624577345-500.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyServer = proxy-centro.risorse.enel:8080
uInternet Settings,ProxyOverride = <local>
IE: Display Toolbar and Menubar - c:\programmi\IEInspector\IEWebDeveloperV2\cmd_display.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{C4046502-6524-4d87-896C-878F57D1FF07} - c:\programmi\PokerStars.IT\PokerStarsUpdate.exe
DPF: {6BA21C22-53A5-463F-BBE8-5CF7FFA0132B} - hxxp://www.ocxt.com/download/officeviewer.cab
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\p3g5kt6h.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - %profile%\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- Associazioni dei file -------
.
.txt=UltraEdit.txt
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
HKLM-Run-hpWirelessAssistant - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
HKLM-Run-SunJavaUpdateSched - c:\programmi\Java\jre6\bin\jusched.exe
MSConfigStartUp-MobileConnect - %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
MSConfigStartUp-swg - c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-KB955706_SQL9 - c:\windows\SQL9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_SQLTools9 - c:\windows\SQLTools9_KB955706_ENU\Hotfix.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\programmi\DivX\DivXCodecUninstall.exe
AddRemove-{991B1E79-12B6-40C3-A081-1FC47C6F2F37} - c:\docume~1\ALLUSE~1\DATIAP~1\TARMAI~1\{991B1~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 16:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe? ??????????T??????????????|?M?|?????M?|&?@
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F4.tmp"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-3031277105-2404189269-3624577345-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,14,07,93,66,e4,e1,4c,b6,e7,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,14,07,93,66,e4,e1,4c,b6,e7,72,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,14,07,93,66,e4,e1,4c,b6,e7,72,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(224)
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\system32\DeviceNP.dll
.
- - - - - - - > 'explorer.exe'(1676)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\programmi\SmartFTP Client\it-IT\sfShellTools.dll.mui
.
Ora fine scansione: 2011-03-26 16:43:09
ComboFix-quarantined-files.txt 2011-03-26 15:42
.
Pre-Run: 41.342.242.816 byte disponibili
Post-Run: 41.517.006.848 byte disponibili
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3AE151C1B2DC130FC8B60BD1EA9746E4


Rootkit Unhooker:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF4E14000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6348800 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 101.63 )
0xBF9D6000 C:\WINDOWS\System32\nv4_disp.dll 5468160 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 101.63 )
0xF4B48000 C:\WINDOWS\system32\DRIVERS\NETw4x32.sys 2203648 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, Sistema e kernel NT)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Driver Win32 multiutente)
0xEFE6A000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF4980000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 851968 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xEB0A4000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 815104 bytes
0xF7205000 iaStor.sys 815104 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xEFDB7000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB8B7B000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xF712F000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF42AB000 C:\WINDOWS\system32\drivers\btaudio.sys 524288 bytes (Broadcom Corporation., Bluetooth Audio Device)
0xF4AA5000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xEFBB9000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF4856000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEFD2B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF707D000 mfehidk.sys 339968 bytes (McAfee, Inc., McAfee Link Driver)
0xB8B29000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xEFFA7000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 307200 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF4DAE000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 266240 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xB7616000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xEFC54000 C:\WINDOWS\System32\drivers\truecrypt.sys 217088 bytes (TrueCrypt Foundation, TrueCrypt Driver)
0xEFF5C000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB8658000 C:\WINDOWS\system32\drivers\RMCast.sys 204800 bytes (Microsoft Corporation, Reliable Multicast Transport)
0xF4A73000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 204800 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF48F4000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7358000 ACPI.sys 188416 bytes (Microsoft Corporation, Driver ACPI per NT)
0xB8C83000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7102000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEFC29000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF4D62000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xEFCC6000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF72E4000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, Driver di I/O di Gestione dischi di NT)
0xEFD05000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF4287000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF4D8A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF4A50000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB7B3C000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xEFCA4000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEFB98000 C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys 135168 bytes (AuthenTec, Inc., (TEST) Slide Fingerprint USB Driver)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF71E5000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF730A000 ftdisk.sys 126976 bytes (Microsoft Corporation, Driver FT del disco)
0xF4962000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 122880 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xF7329000 pcmcia.sys 122880 bytes (Microsoft Corporation, Driver bus PCMCIA)
0xEFC89000 C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys 110592 bytes (Sun Microsystems, Inc., VirtualBox Support Driver)
0xF70D0000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF72CC000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF70EA000 SafeBoot.sys 98304 bytes
0xF48B4000 C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys 98304 bytes (Sun Microsystems, Inc., VirtualBox Bridged Networking Driver)
0xEFF90000 C:\WINDOWS\system32\drivers\AEAudio.sys 94208 bytes (Andrea Electronics Corporation, Audio Noise Filtering Driver (32-bit))
0xF71BC000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB86DA000 C:\WINDOWS\system32\drivers\mqac.sys 94208 bytes (Microsoft Corporation, Windows NT MQ Access Control Device Driver)
0xF494B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEFCEE000 C:\WINDOWS\system32\Drivers\NEOFLTR_650_14599.SYS 94208 bytes (Juniper Networks, NetBIOS Redirector)
0xF4924000 C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys 90112 bytes (Sun Microsystems, Inc., VirtualBox Host-Only Network Adapter Driver)
0xB7BFF000 C:\WINDOWS\system32\drivers\mfeavfk.sys 86016 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xB803B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF4B20000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Driver della porta parallela)
0xF4B34000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF4E00000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEFD84000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C4000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF71D3000 sr.sys 73728 bytes (Microsoft Corporation, Driver filtro file system Ripristino configurazione di sistema)
0xB7C3C000 C:\WINDOWS\system32\drivers\mfeapfk.sys 69632 bytes (McAfee, Inc., Access Protection Filter Driver)
0xF7347000 pci.sys 69632 bytes (Microsoft Corporation, Enumeratore PCI Plug and Play per NT)
0xF493A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF4DEF000 C:\WINDOWS\system32\DRIVERS\serial.sys 69632 bytes (Microsoft Corporation, Driver della periferica seriale)
0xF1E8D000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7667000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF75F7000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7497000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF0F69000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF613C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7657000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Driver del filtro audio Redbook)
0xF7607000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 61440 bytes (REDC, RICOH SD Driver)
0xB8128000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF2496000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74A7000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF0FA9000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xF74C7000 VolSnap.sys 57344 bytes (Microsoft Corporation, Driver copia replicata del volume)
0xF74F7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7627000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, Driver della porta i8042)
0xF5482000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7637000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF5462000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF75E7000 C:\WINDOWS\system32\DRIVERS\rismc32.sys 49152 bytes (RICOH Company, Ltd., PC-SC Driver for RICOH SmartCard Reader)
0xF5492000 C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys 45056 bytes (Juniper Networks, dsNcAdapter)
0xF0F59000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF75D7000 C:\WINDOWS\system32\DRIVERS\HECI.sys 45056 bytes (Intel Corporation, Intel(R) Management Engine Interface)
0xF7617000 C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS 45056 bytes (Infineon Technologies AG, Infineon Trusted Platform Module)
0xF7647000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74B7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF5472000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF74D7000 SbAlg.sys 45056 bytes (SafeBoot N.V., SafeBoot FIPS AES Algorithm (256 bit))
0xF54B2000 C:\WINDOWS\system32\DRIVERS\Accelerometer.sys 40960 bytes (Hewlett-Packard Corporation, HP Accelerometer)
0xB788A000 C:\WINDOWS\system32\Drivers\cdprku.sys 40960 bytes (FrontRange Solutions USA Inc. , FrontRange Discovery LANProbe )
0xF75C7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 40960 bytes (Microsoft Corporation, Driver di periferica processore)
0xF7487000 isapnp.sys 40960 bytes (Microsoft Corporation, Driver bus PNP ISA)
0xF612C000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7507000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF5442000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF74E7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF54A2000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7517000 hpdskflt.sys 36864 bytes (Hewlett-Packard Corporation, HP Disk Filter)
0xB7D8D000 C:\WINDOWS\system32\drivers\mfebopk.sys 36864 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF5452000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF0F89000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB71A6000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF0F79000 C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys 36864 bytes (Sun Microsystems, Inc., VirtualBox USB Monitor Driver)
0xF0F99000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF22B1000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Driver del modem)
0xF0AE2000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7847000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7867000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7857000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 28672 bytes (Microsoft Corporation, Driver classe tastiera)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF785F000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Driver Mouse Class)
0xF14D6000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF783F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF0AF2000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF784F000 C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys 20480 bytes (Hewlett-Packard Development Company, L.P., HpqKbFiltr Keyboard Filter Driver)
0xF0AEA000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7877000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF787F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF786F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77F7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF6812000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF7055000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, Driver del filtro del mouse HID)
0xB8909000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xF7973000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF009B000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF6832000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF682E000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, Driver del controller integrato Microsoft)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF6816000 C:\WINDOWS\system32\DRIVERS\cpqbttn.sys 12288 bytes (Hewlett-Packard Development Company, L.P., HP Tablet PC Key Button HID Driver)
0xECF2F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF0B86000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xED1C7000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, Driver del filtro del mouse HID)
0xF7953000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF106E000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF794B000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF798F000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xEC2A5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7991000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xEC2A7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Driver PCI IDE Intel)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xEB17D000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xEB17B000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xEB179000 C:\WINDOWS\System32\Drivers\RsvLock.SYS 8192 bytes (SafeBoot International, SafeBoot Reserved Files Lock Driver)
0xF7993000 SbFsLock.sys 8192 bytes (SafeBoot International, SafeBoot FS Locker)
0xF79D5000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79D3000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF798D000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7AF5000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7B95000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF0BE2000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Driver bus PCI IDE generico)
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\SafeBoot.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


Since I made first interventions (ran TDSKiller etc.), my pc seems to work better and I am not having symptoms I said in the first post (unwanted ads and locked processes).

Edited by mazekx: n/a

0

Hello, Mazekx, those two logs show clean [the rk warning is because of Safeboot, which is fine]. No new files were found for deletion. Are these two entries part of your corporate settings?
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2915997116-4131603029-1789207793-41665\Scripts\Logon\0\0]
"Script"=cambiar administrado por.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2915997116-4131603029-1789207793-41665\Scripts\Logon\1\0]
"Script"=SitiosdeConfianza.cmd

I suspect they are... so, go Start, Run and enter:
"%userprofile%\desktop\combofix.exe" /uninstall
-combofix will start, and remove combofix and its folders. And then you are good to go.

0

You're welcome, Mazekx. I guess I could have added that you should update and do a final scan and removal with MBAM to see if any other malware files have been unhidden. And now update your Java.
Cheers.

Edited by gerbil: n/a

0

good, I'll do. Seen that it's two days long I do not have any problem, my topic can be considered solved.

Edited by mazekx: n/a

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.