Jump to content

I have a virus that is redirecting my start page and changing my search engine


Recommended Posts

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

----------

First we need to make all files and folders VISIBLE:

  • Go to Start >> Control Panel >> Folder Options >> View
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok

----------

GMER

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    GMER_thumb.jpg
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish.

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

----------

In your next reply please post the log created by GMER. :)

Link to post
Share on other sites

Hi NikolForAll,

Thanks for letting me know. :)

Did you know that your computer is set up with for use with a proxy?

----------

When you get back please do the following:

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

----------

In your next reply please let me know if you were aware of the proxy settings and post the log created by ComboFix. :)

Link to post
Share on other sites

Hi again, Jeff, thanks for the patience you have with me.

I was suppose to give you more details for the computer - the proxy is necessary to connect to the company server, I know about it. I have a small problem with disabling Symantec Endpoint Protection (see in the attached file)

What should I do?

post-33490-0-77049700-1326700842.jpg

Link to post
Share on other sites

Ok, I did the ComboFix, but I received several notification that combofix cannot read files. The Recovery Console was not installed (i suppose because of the proxy, that requires also user identification in order to connect). Here bellow is the log:

ComboFix 12-01-16.01 - a439758 17/01/2012 10.43.40.1.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1952.1006 [GMT 1:00]

Eseguito da: c:\documents and settings\A439758\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

.

.

Overlay Annulata ... Per Piacere rieseguite ComboFix

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\A439758\Dati applicazioni\facemoods.com

C:\prefs.js

c:\programmi\facemoods.com

c:\programmi\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll

c:\programmi\facemoods.com\facemoods\1.4.17.11\facemoods.crx

c:\programmi\facemoods.com\facemoods\1.4.17.11\facemoods.png

c:\programmi\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll

c:\programmi\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll

c:\programmi\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe

c:\programmi\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll

c:\programmi\facemoods.com\facemoods\1.4.17.11\uninstall.exe

c:\programmi\facemoods.com\sqlite3.dll

d:\documents and settings\A439758\Local Settings\Temporary Internet Files\plot.log

.

.

((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_WINDRIVER

-------\Service_WinDriver

.

.

((((((((((((((((((((((((( Files Creati Da 2011-12-17 al 2012-01-17 )))))))))))))))))))))))))))))))))))

.

.

2012-01-17 08:48 . 2012-01-17 08:48 219 ----a-w- c:\windows\rad46D31.tmp

2012-01-17 06:45 . 2012-01-17 06:45 219 ----a-w- c:\windows\rad1079E.tmp

2012-01-16 16:48 . 2012-01-16 16:48 219 ----a-w- c:\windows\rad4A3EC.tmp

2012-01-16 12:48 . 2012-01-16 12:48 219 ----a-w- c:\windows\rad211BF.tmp

2012-01-16 08:48 . 2012-01-16 08:48 219 ----a-w- c:\windows\rad122D9.tmp

2012-01-16 07:43 . 2012-01-16 07:43 219 ----a-w- c:\windows\rad26C7C.tmp

2012-01-14 16:49 . 2012-01-14 16:49 219 ----a-w- c:\windows\rad4A65F.tmp

2012-01-13 16:48 . 2012-01-13 16:48 219 ----a-w- c:\windows\rad7A588.tmp

2012-01-13 12:48 . 2012-01-13 12:48 219 ----a-w- c:\windows\rad96B7B.tmp

2012-01-13 08:48 . 2012-01-13 08:48 219 ----a-w- c:\windows\rad7F507.tmp

2012-01-13 04:48 . 2012-01-13 04:48 219 ----a-w- c:\windows\rad58630.tmp

2012-01-13 00:48 . 2012-01-13 00:48 219 ----a-w- c:\windows\radDF065.tmp

2012-01-12 20:48 . 2012-01-12 20:48 219 ----a-w- c:\windows\radEDEA6.tmp

2012-01-12 16:48 . 2012-01-12 16:48 219 ----a-w- c:\windows\rad4EF5A.tmp

2012-01-12 14:22 . 2009-11-26 16:02 803328 ----a-w- c:\windows\system32\drivers\rt2870.sys

2012-01-12 14:22 . 2009-11-26 16:02 221184 ----a-w- c:\windows\system32\RaCoInst.dll

2012-01-12 14:22 . 2012-01-12 14:22 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Ralink Driver

2012-01-12 14:17 . 2012-01-12 14:17 -------- d-----w- c:\programmi\Atheros

2012-01-12 14:17 . 2010-09-30 19:15 1759584 ----a-w- c:\windows\system32\athuw.sys

2012-01-12 14:16 . 2012-01-12 14:16 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Atheros

2012-01-12 14:16 . 2012-01-12 14:16 -------- d-----w- c:\documents and settings\A439758\Dati applicazioni\InstallShield

2012-01-12 13:58 . 2012-01-12 13:58 -------- d-----w- c:\documents and settings\A439758\Dati applicazioni\Malwarebytes

2012-01-12 13:58 . 2012-01-12 13:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes

2012-01-12 13:58 . 2012-01-12 13:58 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2012-01-12 13:58 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-01-12 12:48 . 2012-01-12 12:48 219 ----a-w- c:\windows\radFC865.tmp

2012-01-12 08:48 . 2012-01-12 08:48 219 ----a-w- c:\windows\rad1920E.tmp

2012-01-12 06:30 . 2012-01-12 06:30 219 ----a-w- c:\windows\rad27F6E.tmp

2012-01-11 12:48 . 2012-01-11 12:48 219 ----a-w- c:\windows\rad20F4B.tmp

2012-01-11 08:48 . 2012-01-11 08:48 219 ----a-w- c:\windows\rad1B278.tmp

2012-01-11 06:38 . 2012-01-11 06:38 219 ----a-w- c:\windows\radF4126.tmp

2012-01-10 16:48 . 2012-01-10 16:48 219 ----a-w- c:\windows\radB2D75.tmp

2012-01-10 12:48 . 2012-01-10 12:48 219 ----a-w- c:\windows\rad7C0C1.tmp

2012-01-10 09:16 . 2012-01-10 09:16 219 ----a-w- c:\windows\rad0EF1A.tmp

2012-01-08 10:13 . 2012-01-08 10:13 219 ----a-w- c:\windows\rad4C9D5.tmp

2012-01-06 15:56 . 2012-01-06 15:56 219 ----a-w- c:\windows\radB598F.tmp

2012-01-04 12:03 . 2012-01-04 12:03 219 ----a-w- c:\windows\rad684D6.tmp

2012-01-01 16:48 . 2012-01-01 16:48 219 ----a-w- c:\windows\radFB849.tmp

2012-01-01 15:53 . 2012-01-01 15:53 219 ----a-w- c:\windows\rad01FFA.tmp

2012-01-01 09:13 . 2012-01-01 09:13 -------- d-----w- c:\documents and settings\A439758\Dati applicazioni\Search Settings

2012-01-01 09:13 . 2012-01-01 09:13 -------- d-----w- c:\programmi\YouTube Downloader Toolbar

2012-01-01 09:13 . 2012-01-01 09:13 -------- d-----w- c:\programmi\Application Updater

2012-01-01 09:13 . 2012-01-01 09:13 -------- d-----w- c:\programmi\File comuni\Spigot

2012-01-01 09:09 . 2012-01-01 09:09 219 ----a-w- c:\windows\rad6608D.tmp

2011-12-31 17:32 . 2011-12-31 17:32 219 ----a-w- c:\windows\rad23A1E.tmp

2011-12-29 15:39 . 2011-12-29 15:39 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\boost_interprocess

2011-12-29 12:48 . 2011-12-29 12:48 219 ----a-w- c:\windows\rad16926.tmp

2011-12-29 09:05 . 2011-12-29 09:05 -------- d-----w- c:\documents and settings\A439758\Dati applicazioni\searchquband

2011-12-29 09:05 . 2011-12-29 09:05 -------- d-----w- c:\documents and settings\A439758\AppData

2011-12-29 09:05 . 2011-12-29 09:06 -------- d-----w- c:\documents and settings\A439758\Impostazioni locali\Dati applicazioni\Ilivid Player

2011-12-29 09:03 . 2011-12-29 09:05 -------- d-----w- c:\documents and settings\A439758\Dati applicazioni\searchqutoolbar

2011-12-29 09:03 . 2011-12-29 09:03 -------- d-----w- c:\programmi\Windows iLivid Toolbar

2011-12-29 09:02 . 2011-12-29 09:02 -------- d-----w- c:\documents and settings\A439758\Impostazioni locali\Dati applicazioni\PackageAware

2011-12-29 08:48 . 2011-12-29 08:48 219 ----a-w- c:\windows\rad77AD6.tmp

2011-12-29 06:36 . 2011-12-29 06:36 219 ----a-w- c:\windows\rad5FBF5.tmp

2011-12-28 08:48 . 2011-12-28 08:48 219 ----a-w- c:\windows\radBC194.tmp

2011-12-28 06:38 . 2011-12-28 06:38 219 ----a-w- c:\windows\radF13E5.tmp

2011-12-27 12:48 . 2011-12-27 12:48 219 ----a-w- c:\windows\rad8B766.tmp

2011-12-27 08:48 . 2011-12-27 08:48 219 ----a-w- c:\windows\rad84D99.tmp

2011-12-27 06:40 . 2011-12-27 06:40 219 ----a-w- c:\windows\radB463E.tmp

2011-12-26 18:09 . 2011-12-26 18:10 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\DataCardService

2011-12-26 17:58 . 2011-12-26 18:01 -------- d-----w- c:\windows\system32\NtmsData

2011-12-26 17:55 . 2011-12-26 17:55 219 ----a-w- c:\windows\radDE2DD.tmp

2011-12-23 12:48 . 2011-12-23 12:48 219 ----a-w- c:\windows\radFC2EB.tmp

2011-12-23 09:06 . 2011-12-23 09:06 219 ----a-w- c:\windows\rad7BDB6.tmp

2011-12-23 06:41 . 2011-12-23 06:41 219 ----a-w- c:\windows\rad2C197.tmp

2011-12-22 16:48 . 2011-12-22 16:48 219 ----a-w- c:\windows\radBF7C4.tmp

2011-12-22 12:48 . 2011-12-22 12:48 219 ----a-w- c:\windows\rad95F89.tmp

2011-12-22 08:57 . 2011-12-22 08:57 219 ----a-w- c:\windows\rad752E0.tmp

2011-12-21 20:59 . 2011-12-21 20:59 219 ----a-w- c:\windows\radF8347.tmp

2011-12-21 13:17 . 2011-12-21 13:17 219 ----a-w- c:\windows\rad6A3BF.tmp

2011-12-21 08:48 . 2011-12-21 08:48 219 ----a-w- c:\windows\rad2D7B3.tmp

2011-12-21 06:42 . 2011-12-21 06:42 219 ----a-w- c:\windows\rad0CBE8.tmp

2011-12-20 12:48 . 2011-12-20 12:48 219 ----a-w- c:\windows\radB1E07.tmp

2011-12-20 08:48 . 2011-12-20 08:48 219 ----a-w- c:\windows\rad02935.tmp

2011-12-20 06:51 . 2011-12-20 06:51 219 ----a-w- c:\windows\rad6D84F.tmp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-15 12:48 . 2011-12-15 12:48 219 ----a-w- c:\windows\rad4F20C.tmp

2011-12-15 08:48 . 2011-12-15 08:48 219 ----a-w- c:\windows\rad1AD1A.tmp

2011-12-15 06:40 . 2011-12-15 06:40 219 ----a-w- c:\windows\radF57B6.tmp

2011-12-14 16:48 . 2011-12-14 16:48 219 ----a-w- c:\windows\rad5B283.tmp

2011-12-14 12:48 . 2011-12-14 12:48 219 ----a-w- c:\windows\rad9DF98.tmp

2011-12-14 09:23 . 2011-12-14 09:23 219 ----a-w- c:\windows\radC69C1.tmp

2011-12-13 12:48 . 2011-12-13 12:48 219 ----a-w- c:\windows\radD6F0A.tmp

2011-12-13 08:48 . 2011-12-13 08:48 219 ----a-w- c:\windows\rad7B7DF.tmp

2011-12-13 08:03 . 2011-12-13 08:03 219 ----a-w- c:\windows\radA4623.tmp

2011-12-12 11:42 . 2011-12-12 11:42 219 ----a-w- c:\windows\rad570F8.tmp

2011-12-09 12:48 . 2011-12-09 12:48 219 ----a-w- c:\windows\rad58808.tmp

2011-12-09 08:48 . 2011-12-09 08:48 219 ----a-w- c:\windows\rad699F9.tmp

2011-12-09 06:39 . 2011-12-09 06:39 219 ----a-w- c:\windows\rad26497.tmp

2011-12-08 16:48 . 2011-12-08 16:48 219 ----a-w- c:\windows\rad9912D.tmp

2011-12-08 12:48 . 2011-12-08 12:48 219 ----a-w- c:\windows\radA8662.tmp

2011-12-08 08:48 . 2011-12-08 08:48 219 ----a-w- c:\windows\rad6B925.tmp

2011-12-08 06:36 . 2011-12-08 06:36 219 ----a-w- c:\windows\radD6D93.tmp

2011-12-07 16:48 . 2011-12-07 16:48 219 ----a-w- c:\windows\rad9C09A.tmp

2011-12-07 12:48 . 2011-12-07 12:48 219 ----a-w- c:\windows\radE0DB7.tmp

2011-12-07 08:48 . 2011-12-07 08:48 219 ----a-w- c:\windows\radEAA41.tmp

2011-12-07 06:48 . 2011-12-07 06:48 219 ----a-w- c:\windows\radCCBE8.tmp

2011-12-06 12:48 . 2011-12-06 12:48 219 ----a-w- c:\windows\radEE715.tmp

2011-12-06 08:48 . 2011-12-06 08:48 219 ----a-w- c:\windows\rad87379.tmp

2011-12-06 06:55 . 2011-12-06 06:55 219 ----a-w- c:\windows\radD0A94.tmp

2011-12-05 20:19 . 2011-12-05 20:19 219 ----a-w- c:\windows\radCE8B9.tmp

2011-12-01 12:48 . 2011-12-01 12:48 219 ----a-w- c:\windows\radB10F5.tmp

2011-12-01 08:48 . 2011-12-01 08:48 219 ----a-w- c:\windows\rad4400C.tmp

2011-12-01 04:48 . 2011-12-01 04:48 219 ----a-w- c:\windows\radF8311.tmp

2011-12-01 00:48 . 2011-12-01 00:48 219 ----a-w- c:\windows\rad57F70.tmp

2011-11-30 20:48 . 2011-11-30 20:48 219 ----a-w- c:\windows\rad2E04A.tmp

2011-11-30 16:48 . 2011-11-30 16:48 219 ----a-w- c:\windows\rad67F9B.tmp

2011-11-30 12:48 . 2011-11-30 12:48 219 ----a-w- c:\windows\radE1EFD.tmp

2011-11-30 08:48 . 2011-11-30 08:48 219 ----a-w- c:\windows\rad65723.tmp

2011-11-30 04:48 . 2011-11-30 04:48 219 ----a-w- c:\windows\radE6D33.tmp

2011-11-30 00:48 . 2011-11-30 00:48 219 ----a-w- c:\windows\radFD287.tmp

2011-11-29 20:48 . 2011-11-29 20:48 219 ----a-w- c:\windows\radBE33B.tmp

2011-11-29 16:48 . 2011-11-29 16:48 219 ----a-w- c:\windows\rad79189.tmp

2011-11-29 12:48 . 2011-11-29 12:48 219 ----a-w- c:\windows\radE0851.tmp

2011-11-29 08:48 . 2011-11-29 08:48 219 ----a-w- c:\windows\radD2CC3.tmp

2011-11-29 04:48 . 2011-11-29 04:48 219 ----a-w- c:\windows\rad0F46E.tmp

2011-11-29 00:48 . 2011-11-29 00:48 219 ----a-w- c:\windows\rad2A09F.tmp

2011-11-28 20:48 . 2011-11-28 20:48 219 ----a-w- c:\windows\radF08D1.tmp

2011-11-28 16:48 . 2011-11-28 16:48 219 ----a-w- c:\windows\rad21336.tmp

2011-11-28 12:48 . 2011-11-28 12:48 219 ----a-w- c:\windows\radB14C8.tmp

2011-11-28 08:48 . 2011-11-28 08:48 219 ----a-w- c:\windows\radAD3E0.tmp

2011-11-28 04:48 . 2011-11-28 04:48 219 ----a-w- c:\windows\rad0F741.tmp

2011-11-28 00:48 . 2011-11-28 00:48 219 ----a-w- c:\windows\rad93ADE.tmp

2011-11-27 20:48 . 2011-11-27 20:48 219 ----a-w- c:\windows\rad212EC.tmp

2011-11-27 16:48 . 2011-11-27 16:48 219 ----a-w- c:\windows\radE0578.tmp

2011-11-27 12:48 . 2011-11-27 12:48 219 ----a-w- c:\windows\radBAA6A.tmp

2011-11-27 08:48 . 2011-11-27 08:48 219 ----a-w- c:\windows\rad9D68B.tmp

2011-11-27 06:54 . 2011-11-27 06:54 219 ----a-w- c:\windows\rad72863.tmp

2011-11-25 13:45 . 2011-11-25 13:45 219 ----a-w- c:\windows\rad492B6.tmp

2011-11-25 08:48 . 2011-11-25 08:48 219 ----a-w- c:\windows\radF198F.tmp

2011-11-25 06:48 . 2011-11-25 06:48 219 ----a-w- c:\windows\rad15225.tmp

2011-11-25 06:46 . 2011-11-25 06:46 219 ----a-w- c:\windows\radBDB1F.tmp

2011-11-24 16:48 . 2011-11-24 16:48 219 ----a-w- c:\windows\rad78A72.tmp

2011-11-24 14:48 . 2011-11-24 14:48 219 ----a-w- c:\windows\rad30304.tmp

2011-11-24 12:48 . 2011-11-24 12:48 219 ----a-w- c:\windows\rad863B5.tmp

2011-11-24 10:48 . 2011-11-24 10:48 219 ----a-w- c:\windows\radB297A.tmp

2011-11-24 08:48 . 2011-11-24 08:48 219 ----a-w- c:\windows\radD399A.tmp

2011-11-24 06:48 . 2011-11-24 06:48 219 ----a-w- c:\windows\rad8C560.tmp

2011-11-24 06:47 . 2011-11-24 06:47 219 ----a-w- c:\windows\radE0B15.tmp

2011-11-23 14:48 . 2011-11-23 14:48 219 ----a-w- c:\windows\rad6ED5F.tmp

2011-11-23 14:40 . 2004-08-19 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-23 12:48 . 2011-11-23 12:48 219 ----a-w- c:\windows\rad00FB0.tmp

2011-11-23 10:48 . 2011-11-23 10:48 219 ----a-w- c:\windows\rad6E818.tmp

2011-11-23 08:48 . 2011-11-23 08:48 219 ----a-w- c:\windows\radA24E2.tmp

2011-11-23 06:48 . 2011-11-23 06:48 219 ----a-w- c:\windows\radDCAF5.tmp

2011-11-23 06:40 . 2011-11-23 06:40 219 ----a-w- c:\windows\radFD13F.tmp

2011-11-22 14:48 . 2011-11-22 14:48 219 ----a-w- c:\windows\rad585F7.tmp

2011-11-22 12:48 . 2011-11-22 12:48 219 ----a-w- c:\windows\rad75D0A.tmp

2011-11-22 10:48 . 2011-11-22 10:48 219 ----a-w- c:\windows\rad98F0B.tmp

2011-11-22 08:48 . 2011-11-22 08:48 219 ----a-w- c:\windows\radFD6AA.tmp

2011-11-22 06:48 . 2011-11-22 06:48 219 ----a-w- c:\windows\rad690B7.tmp

2011-11-22 06:41 . 2011-11-22 06:41 219 ----a-w- c:\windows\rad77B73.tmp

2011-11-19 17:37 . 2011-11-19 17:37 219 ----a-w- c:\windows\rad8B0FD.tmp

2011-11-18 09:05 . 2011-11-18 09:05 219 ----a-w- c:\windows\rad52FDC.tmp

2011-11-17 10:13 . 2011-11-17 10:13 219 ----a-w- c:\windows\rad7FC61.tmp

2011-11-16 20:22 . 2011-11-16 20:22 219 ----a-w- c:\windows\rad593F7.tmp

2011-11-16 11:04 . 2011-11-16 11:04 219 ----a-w- c:\windows\radDE308.tmp

2011-11-16 09:28 . 2011-11-16 09:28 219 ----a-w- c:\windows\rad9ED65.tmp

2011-11-15 16:48 . 2011-11-15 16:48 219 ----a-w- c:\windows\radA6855.tmp

2011-11-15 14:48 . 2011-11-15 14:48 219 ----a-w- c:\windows\rad01D74.tmp

2011-11-15 12:48 . 2011-11-15 12:48 219 ----a-w- c:\windows\radB7F48.tmp

2011-11-15 10:48 . 2011-11-15 10:48 219 ----a-w- c:\windows\rad97973.tmp

2011-11-15 08:48 . 2011-11-15 08:48 219 ----a-w- c:\windows\rad7DAD6.tmp

2011-11-15 06:48 . 2011-11-15 06:48 219 ----a-w- c:\windows\rad06193.tmp

2011-11-15 06:37 . 2011-11-15 06:37 219 ----a-w- c:\windows\radB8A1A.tmp

2011-11-14 14:48 . 2011-11-14 14:48 219 ----a-w- c:\windows\rad3CF97.tmp

2011-11-14 12:48 . 2011-11-14 12:48 219 ----a-w- c:\windows\radDFEDE.tmp

2011-11-14 10:48 . 2011-11-14 10:48 219 ----a-w- c:\windows\rad363EE.tmp

2011-11-14 08:48 . 2011-11-14 08:48 219 ----a-w- c:\windows\rad08120.tmp

2011-11-14 07:53 . 2011-11-14 07:53 219 ----a-w- c:\windows\rad97ABC.tmp

2011-11-12 08:48 . 2011-11-12 08:48 219 ----a-w- c:\windows\radD8E60.tmp

2011-11-12 06:48 . 2011-11-12 06:48 219 ----a-w- c:\windows\rad13C9C.tmp

2011-11-12 06:32 . 2011-11-12 06:32 219 ----a-w- c:\windows\rad0A8EA.tmp

2011-11-11 16:48 . 2011-11-11 16:48 219 ----a-w- c:\windows\radFF2BD.tmp

2011-11-11 14:48 . 2011-11-11 14:48 219 ----a-w- c:\windows\radE8E1D.tmp

2011-11-11 12:48 . 2011-11-11 12:48 219 ----a-w- c:\windows\radEAC12.tmp

.

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PC Suite Tray"="d:\programmi\Nokia PC Suite 7\PCSuite.exe" [2010-05-14 1479680]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\programmi\Microsoft Office Communicator\communicator.exe" [2010-07-08 5735696]

"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2010-08-11 115560]

"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2011-03-29 2209064]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 141656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 181592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 165720]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-21 737280]

"NUSB3MON"="c:\programmi\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]

"AccelerometerSysTrayApplet"="c:\programmi\Hewlett-Packard\HP 3D DriveGuard\accelerometerST.exe" [2011-01-19 70712]

"QLBController"="c:\programmi\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2011-04-15 312376]

"Cpqset"="c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe" [2010-05-14 80896]

"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2011-04-07 219520]

"WTVAlert"="c:\programmi\Enel.it\WebTVAlert\wtvalert.exe" [2010-01-14 102400]

"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2011-06-09 254696]

"SearchSettings"="c:\programmi\File comuni\Spigot\Search Settings\SearchSettings.exe" [2011-12-13 922976]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

.

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\

Bluetooth.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-30 636256]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 17:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=lanciatore.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]

"Script"=EnelConfigurationManager.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-2147092017-682003330-170122\Scripts\Logon\0\0]

"Script"=UserRoleAlert.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programmi\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Programmi\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Programmi\\File comuni\\Symantec Shared\\ccApp.exe"=

"c:\\Programmi\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Programmi\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Programmi\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Programmi\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=

"c:\\Programmi\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

.

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/03/2008 16.02.35 17968]

R2 Application Updater;Application Updater;c:\programmi\Application Updater\ApplicationUpdater.exe [14/12/2011 13.13.28 748440]

R2 DCService.exe;DCService.exe;c:\documents and settings\All Users\Dati applicazioni\DataCardService\DCService.exe [29/09/2010 2.33.40 249856]

R2 EnelConfigUtil;EnelConfigUtil;c:\windows\system32\dllhost.exe [19/08/2004 13.00.00 5120]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\programmi\Hewlett-Packard\Shared\HPDrvMntSvc.exe [28/02/2011 14.08.30 92216]

R2 hpHotkeyMonitor;hpHotkeyMonitor;c:\programmi\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [15/04/2011 14.31.32 297528]

R2 Isecdrv;ISECDRV;c:\windows\system32\drivers\ISECDRV.sys [14/02/2008 11.44.12 20640]

R2 MarimbaEndpoint;MarimbaEndpoint;c:\programmi\marimba\tuner\Tuner.exe [19/06/2009 8.25.18 36957]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 19.09.28 11032]

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [25/07/2011 10.57.47 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [25/07/2011 10.57.47 670128]

R3 AESTAud;IDT AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [05/07/2011 18.17.58 113664]

R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [05/07/2011 18.18.00 174248]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/11/2011 9.46.12 106104]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [25/07/2011 10.57.55 2041904]

R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [26/12/2011 19.23.59 72832]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [05/07/2011 18.18.00 44800]

R3 IntcDAud;Audio schermo Intel®;c:\windows\system32\drivers\IntcDAud.sys [05/07/2011 18.17.58 260864]

R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [05/07/2011 10.28.04 144984]

R3 johci;JMicron 1394 Filter Driver;c:\windows\system32\drivers\johci.sys [05/07/2011 10.27.57 23640]

R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [05/07/2011 18.17.56 41088]

R3 NETwNx32;___ Driver scheda Intel® Wireless WiFi Link 5000 Series per Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [05/07/2011 18.18.00 7391104]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [10/12/2010 12.50.12 62336]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [10/12/2010 12.50.12 141440]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [05/10/2010 10.03.28 23888]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [25/07/2011 10.57.55 14924]

S3 RoxMediaDB10;RoxMediaDB10;c:\programmi\File comuni\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [23/11/2009 19.08.10 1120752]

S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [11/03/2008 16.02.29 11696]

S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [11/03/2008 16.02.23 63024]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [11/03/2008 16.02.32 34992]

.

--- Altri Servizi/Drivers In Memoria ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contenuto della cartella 'Scheduled Tasks'

.

2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-2147092017-682003330-170122Core.job

- c:\documents and settings\A439758\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-07-29 08:00]

.

2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-2147092017-682003330-170122UA.job

- c:\documents and settings\A439758\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-07-29 08:00]

.

2012-01-17 c:\windows\Tasks\User_Feed_Synchronization-{09C73F97-D0E5-4652-A8E9-1897A53FDB7E}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

2012-01-17 c:\windows\Tasks\User_Feed_Synchronization-{784F98F6-369A-400A-B348-16525000791C}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

.

------- Scansione supplementare -------

.

uStart Page = about:blank

uInternet Settings,ProxyServer = proxy-nord.risorse.enel:8080

uInternet Settings,ProxyOverride = 192.168.*;172.*;10.*;*.enel;*.wind;*.enelro;*.local;moduloimpresa.enel.it;www.acquisti.enel.it;*.enelint.global;www.fw.ipsos.com;vpngem.enel.it;sar.enel.it;emppmw103pre.endesa.es;companytv.enelit.enel;<local>

IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: enelit.enel\deskit

Trusted Zone: risorse.enel\e20x4sw0

TCP: DhcpNameServer = 10.42.194.191 10.16.57.184

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {502C6FAD-1188-4DEF-BD68-099D53DCF3CF} - hxxp://e20x4sw0.risorse.enel/RInst.cab

.

.

------- Associazioni dei file -------

.

.scr=AutoCADScriptFile

.

- - - - CHIAVI ORFANE RIMOSSE - - - -

.

Toolbar-Locked - (no file)

Toolbar-10 - (no file)

HKLM-Run-facemoods - c:\programmi\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe

Notify-NavLogon - (no file)

Notify-TPSvc - TPSvc.dll

SafeBoot-Symantec Antvirus

AddRemove-facemoods - c:\programmi\facemoods.com\facemoods\1.4.17.11\uninstall.exe

AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe

AddRemove-LSI Soft Modem - c:\windows\agrsmdel

AddRemove-WZCLINE - c:\programmi\WinZip\winzip32

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-17 10:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scansione processi nascosti ...

.

scansione entrate autostart nascoste ...

.

Scansione files nascosti ...

.

Scansione completata con successo

Files nascosti: 0

.

**************************************************************************

.

--------------------- Dlls caricate dai processi in esecuzione ---------------------

.

- - - - - - - > 'explorer.exe'(5588)

c:\windows\system32\WININET.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

.

------------------------ Altri processi in esecuzione ------------------------

.

c:\programmi\Symantec\Symantec Endpoint Protection\Smc.exe

c:\programmi\File comuni\Symantec Shared\ccSvcHst.exe

c:\programmi\IDT\WDM\STacSV.exe

c:\programmi\LSI SoftModem\agrsmsvc.exe

c:\programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe

c:\programmi\Java\jre6\bin\jqs.exe

c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe

c:\programmi\marimba\tuner\lib\jre\bin\java.exe

c:\programmi\File comuni\Protexis\License Service\PsiService_2.exe

c:\windows\System32\snmp.exe

c:\programmi\CheckPoint\SecuRemote\bin\SR_Service.exe

c:\programmi\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

c:\programmi\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\CCM\CcmExec.exe

c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\programmi\CheckPoint\SecuRemote\bin\SR_GUI.Exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\msdtc.exe

c:\programmi\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe

c:\progra~1\WI371A~1\Datamngr\DATAMN~1.EXE

c:\programmi\PC Connectivity Solution\ServiceLayer.exe

c:\programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\programmi\PC Connectivity Solution\Transports\NclRSSrv.exe

.

**************************************************************************

.

Ora fine scansione: 2012-01-17 11:04:45 - Il pc è stato riavviato

ComboFix-quarantined-files.txt 2012-01-17 10:04

.

Pre-Run: 36.702.064.640 byte disponibili

Post-Run: 37.970.804.736 byte disponibili

.

- - End Of File - - FC18BD44853050D4F1E1515B0A5FFB8A

Link to post
Share on other sites

Hi,

Download OTL to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.