Solved Sirefef, laptop keeps restarting

Status
Not open for further replies.
ugo1977

ugo1977

Posts: 13   +0
Dear All,
I am running on my company laptop Win 7 64 bit Professional, equipped with MSE.
Now, I am writing from a different computer, since my laptop is infected.
I realized minutes ago that both MSE and the network firewall were disabled.
Despite I tried to, I could not restart them. So I reinstalled MSE, and here it’s when I got a long list of Sirefef Trojan found on my laptop. Once I asked to remove the infection, the real problems happened. After that a message that announce that the laptop will be restarted come up at every boot.
I can’t exit from that loop.
I found a number of posts about the same topic on your forum too, but I noticed that each one is personalized so I decided to post also mine.
I really hope you can help me, because I am stuck.
Thanks very much.
[FONT=Arial][FONT=Times New Roman] [/FONT][/FONT]

[FONT=Arial][FONT=Times New Roman] [/FONT][/FONT]
 
Update: since I noticed that the first diagnose / log task is the same for all users, I performed it and I paste it here. I hope thid can be helpful. Thanks.

--------------------------

Scan result of Farbar Recovery Scan Tool Version: 10-07-2012 01
Ran by SYSTEM at 11-07-2012 15:26:49
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [TpShocks] TpShocks.exe [x]
HKLM\...\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [62312 2010-07-27] (Lenovo Group Limited)
HKLM\...\Run: [AcWin7Hlpr] C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [33344 2011-10-20] (Lenovo)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2010-11-28] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2010-11-28] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2010-11-28] (Intel Corporation)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-15] ()
HKLM\...\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [69560 2010-07-27] (Lenovo Group Limited)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [112152 2010-05-02] (Intel Corporation)
HKLM-x32\...\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-30] (Ricoh co.,Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Client Access Service] C:\Program Files (x86)\IBM\Client Access\cwbsvstr.exe [14336 2010-01-14] (IBM Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKU\UGO\...\Run: [Akamai NetSession Interface] "C:\Users\UGO\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-25] (Akamai Technologies, Inc)
HKU\UGO\...\Run: [Facebook Update] "C:\Users\UGO\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [137536 2012-04-15] (Facebook Inc.)
HKU\UGO\...\Run: [Spotify Web Helper] "C:\Users\UGO\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [932528 2012-05-05] ()
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.150.1 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{0291AE76-AC09-4034-BA8E-42A2A0AB73B4}: [NameServer]83.224.70.77 83.224.70.54
Lsa: [Notification Packages] scecli
ACGina
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Communication Assistant.lnk
ShortcutTarget: Communication Assistant.lnk -> C:\Program Files (x86)\Panasonic\Communication Assistant\Communication Assistant.exe (Panasonic System Networks Co., Ltd.)
==================== Services (Whitelisted) ======
2 AcPrfMgrSvc; C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe [134208 2011-10-20] (Lenovo)
2 AcSvc; C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe [269376 2011-10-20] (Lenovo)
2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-10] (Akamai Technologies, Inc)
2 btwdins; C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe [915232 2011-06-13] (Broadcom Corporation.)
3 Cwbrxd; C:\Windows\cwbrxd.exe [94208 2010-01-14] (IBM Corporation)
2 FirebirdGuardianDefaultInstance; C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe -s [81920 2007-09-03] (FirebirdSQL Project)
3 FirebirdServerDefaultInstance; C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe -s [2002944 2007-09-03] (FirebirdSQL Project)
2 IBMPMSVC; C:\Windows\System32\ibmpmsvc.exe [45928 2009-11-17] (Lenovo.)
2 IviRegMgr; "C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe" [112152 2007-01-04] (InterVideo)
2 LENOVO.CAMMUTE; C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe [50536 2010-07-27] (Lenovo Group Limited)
4 LENOVO.MICMUTE; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [45496 2010-04-06] (Lenovo Group Limited)
2 LENOVO.TPKNRSVC; C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [74088 2010-07-27] (Lenovo Group Limited)
2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [93032 2010-04-06] (Lenovo Group Limited)
2 Lotus Notes Diagnostics; "C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe" -svcinvoke -ini "C:\Program Files (x86)\IBM\Lotus\Notes\notes.ini" [11711 2012-07-11] ()
2 Lotus Notes Single Logon; "C:\Program Files (x86)\IBM\Lotus\Notes\nslsvice.exe" [31624 2010-08-11] (IBM Corp)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 QDLService2kLenovo; "C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kLenovo.exe" [331512 2010-04-26] (QUALCOMM, Inc.)
4 SUService; "C:\Program Files (x86)\Lenovo\System Update\SUService.exe" [28672 2010-02-10] (Lenovo Group Limited)
3 TPHDEXLGSVC; C:\Windows\System32\TPHDEXLG64.exe [47728 2010-06-16] (Lenovo.)
2 TPHKSVC; C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [63928 2010-04-06] (Lenovo Group Limited)
2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2533400 2010-05-02] (Intel Corporation)
========================== Drivers (Whitelisted) =============
3 5U877; C:\Windows\System32\Drivers\5U877.sys [163072 2009-12-14] (Ricoh co.,Ltd.)
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [295088 2010-06-21] (Intel Corporation)
3 IBMPMDRV; C:\Windows\System32\Drivers\IBMPMDRV.sys [32880 2009-11-17] (Lenovo.)
1 lenovo.smi; C:\Windows\System32\DRIVERS\smiifx64.sys [15400 2008-05-12] (Lenovo Group Limited)
3 pmxdrv; C:\Windows\System32\Drivers\pmxdrv.sys [31152 2010-12-07] ()
3 psadd; C:\Windows\System32\Drivers\psadd.sys [40512 2009-07-01] (Lenovo (United States) Inc.)
3 qcfilterlno2k; C:\Windows\System32\Drivers\qcfilterlno2k.sys [6400 2010-04-26] (QUALCOMM Incorporated)
3 qcusbnetlno2k; C:\Windows\System32\Drivers\qcusbnetlno2k.sys [243712 2010-04-26] (QUALCOMM Incorporated)
3 qcusbserlno2k; C:\Windows\System32\Drivers\qcusbserlno2k.sys [121600 2010-04-26] (QUALCOMM Incorporated)
1 rdmxbdiq; C:\Windows\System32\Drivers\rdmxbdiq.sys [50392 2012-07-11] (Microsoft Corporation)
0 Shockprf; C:\Windows\System32\DRIVERS\Apsx64.sys [136816 2010-06-16] (Lenovo.)
3 tap0901; C:\Windows\System32\Drivers\tap0901.sys [30720 2010-11-22] (The OpenVPN Project)
0 TPDIGIMN; C:\Windows\System32\DRIVERS\ApsHM64.sys [23664 2010-06-16] (Lenovo.)
2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [12728 2009-09-29] ()
3 TVTI2C; C:\Windows\System32\Drivers\TVTI2C.sys [41536 2009-09-24] (Lenovo (United States) Inc.)
1 nwhdjoqm; \??\C:\Windows\system32\drivers\nwhdjoqm.sys [x]
0 vmci; C:\Windows\System32\DRIVERS\vmci.sys [x]
3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]
1 xajunjhw; \??\C:\Windows\system32\drivers\xajunjhw.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-07-11 05:20 - 2012-07-11 05:20 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdmxbdiq.sys
2012-07-11 05:17 - 2012-07-11 05:17 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5FCC5875DB27FD20
2012-07-11 05:10 - 2012-07-11 05:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.55C5AA3955956BB8
2012-07-11 04:54 - 2012-07-11 04:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4B28D51544D67A13
2012-07-11 03:46 - 2012-07-11 03:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C17469AFE8F9870B
2012-07-11 03:42 - 2012-07-11 03:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5114535686085502
2012-07-11 03:37 - 2012-07-11 03:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.059826B6FD30CD9F
2012-07-11 03:33 - 2012-07-11 03:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.52B0950077B0D9CC
2012-07-11 03:29 - 2012-07-11 03:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.70751A0CF9D74777
2012-07-11 03:25 - 2012-07-11 03:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B4FDF77606E48FE1
2012-07-11 03:21 - 2012-07-11 03:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3286763A23406C93
2012-07-11 03:16 - 2012-07-11 03:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.864ABD225C615FFD
2012-07-11 03:12 - 2012-07-11 03:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2F4E36F7AC74A578
2012-07-11 03:04 - 2012-07-11 03:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DD4189DE14FE1351
2012-07-11 02:59 - 2012-07-11 02:59 - 00000000 ____D C:\Users\UGO\AppData\Roaming\smkits
2012-07-11 02:49 - 2012-07-11 03:05 - 00000514 ____A C:\Users\UGO\Desktop\Muse - Survival - YouTube.website
2012-07-11 02:31 - 2012-07-11 03:03 - 00000753 ____A C:\Users\UGO\Desktop\Error Code 0x80070424 with Windows Firewall and Base Filtering Engine Service Not available in services database list. - Micr.website
2012-07-11 02:27 - 2012-07-11 02:28 - 00229548 ____A C:\Users\UGO\Downloads\1055.BFE.reg
2012-07-11 02:27 - 2012-07-11 02:28 - 00006396 ____A C:\Users\UGO\Downloads\0677.mpssvc.reg
2012-07-11 02:12 - 2012-07-11 02:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-11 02:11 - 2012-07-11 02:12 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-11 01:36 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 01:28 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 01:28 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 01:28 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 01:28 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 01:28 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 01:28 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 01:28 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 01:28 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 01:28 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 01:28 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 01:28 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 01:28 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 01:28 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 01:28 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 01:28 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-11 01:28 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-11 01:28 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-11 01:28 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-11 01:28 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-11 01:28 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-11 01:28 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-11 01:28 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-11 01:28 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-11 01:28 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-11 01:28 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-11 01:28 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-11 01:28 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-11 01:28 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-11 01:20 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 01:20 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 01:19 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 01:19 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 01:19 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 01:19 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 01:19 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 01:19 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-11 01:19 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 01:19 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 01:19 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 01:19 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 01:19 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 01:19 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 01:19 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 01:19 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 01:19 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-11 01:19 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-07-11 01:19 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-07-11 01:19 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 01:19 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-09 02:13 - 2012-07-09 02:13 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-06-26 03:35 - 2012-06-26 03:36 - 00232445 ____A C:\Users\UGO\Downloads\Transfer Oil - Hose reel capacity calculator - REV6.xlsx
2012-06-25 08:51 - 2012-06-25 08:51 - 00179577 ____A C:\Users\UGO\Downloads\Transfer Oil - Hose reel capacity calculator - Calcolo capacità bobine - REV5 - Excel 2007.zip
2012-06-25 02:24 - 2012-06-25 02:24 - 00001439 ____A C:\Users\UGO\Downloads\TransferOil S.p.a..kml
2012-06-21 23:13 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 23:13 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 23:13 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 23:13 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 23:13 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 23:13 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 23:13 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 23:12 - 2012-06-02 05:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 23:12 - 2012-06-02 05:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-13 13:47 - 2012-06-13 13:47 - 00001764 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-13 13:46 - 2012-06-13 13:47 - 00000000 ____D C:\Program Files\iTunes
2012-06-13 13:46 - 2012-06-13 13:46 - 00000000 ____D C:\Program Files\iPod
2012-06-13 13:36 - 2012-06-13 13:37 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-06-12 23:40 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-12 23:40 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-12 23:40 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-12 23:40 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-12 23:40 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-12 23:40 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-12 23:40 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-12 23:40 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 23:40 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 23:40 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 23:40 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-12 23:40 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-12 23:40 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-12 23:40 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-12 23:40 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-12 23:39 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

============ 3 Months Modified Files ========================
2012-07-11 05:20 - 2012-07-11 05:20 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdmxbdiq.sys
2012-07-11 05:19 - 2012-01-13 14:20 - 00044055 ____A C:\Windows\setupact.log
2012-07-11 05:19 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-11 05:17 - 2012-07-11 05:17 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5FCC5875DB27FD20
2012-07-11 05:10 - 2012-07-11 05:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.55C5AA3955956BB8
2012-07-11 05:08 - 2010-12-07 17:08 - 01259872 ____A C:\Windows\WindowsUpdate.log
2012-07-11 05:07 - 2009-07-13 21:13 - 00733968 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-11 05:03 - 2009-07-13 20:45 - 00020704 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-11 05:03 - 2009-07-13 20:45 - 00020704 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-11 04:56 - 2010-04-07 20:53 - 00000071 ____A C:\Windows\SysWOW64\$syssetup$.ini
2012-07-11 04:54 - 2012-07-11 04:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4B28D51544D67A13
2012-07-11 03:46 - 2012-07-11 03:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C17469AFE8F9870B
2012-07-11 03:42 - 2012-07-11 03:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5114535686085502
2012-07-11 03:40 - 2012-03-26 08:50 - 00000089 ___AH C:\Windows\$MWinSet$
2012-07-11 03:39 - 2011-02-09 09:11 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-07-11 03:37 - 2012-07-11 03:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.059826B6FD30CD9F
2012-07-11 03:33 - 2012-07-11 03:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.52B0950077B0D9CC
2012-07-11 03:29 - 2012-07-11 03:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.70751A0CF9D74777
2012-07-11 03:25 - 2012-07-11 03:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B4FDF77606E48FE1
2012-07-11 03:21 - 2012-07-11 03:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3286763A23406C93
2012-07-11 03:16 - 2012-07-11 03:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.864ABD225C615FFD
2012-07-11 03:12 - 2012-07-11 03:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2F4E36F7AC74A578
2012-07-11 03:05 - 2012-07-11 02:49 - 00000514 ____A C:\Users\UGO\Desktop\Muse - Survival - YouTube.website
2012-07-11 03:04 - 2012-07-11 03:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DD4189DE14FE1351
2012-07-11 03:03 - 2012-07-11 02:31 - 00000753 ____A C:\Users\UGO\Desktop\Error Code 0x80070424 with Windows Firewall and Base Filtering Engine Service Not available in services database list. - Micr.website
2012-07-11 02:28 - 2012-07-11 02:27 - 00229548 ____A C:\Users\UGO\Downloads\1055.BFE.reg
2012-07-11 02:28 - 2012-07-11 02:27 - 00006396 ____A C:\Users\UGO\Downloads\0677.mpssvc.reg
2012-07-11 02:12 - 2011-01-25 10:22 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-11 02:12 - 2011-01-25 10:21 - 00739814 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-11 01:46 - 2009-07-13 20:45 - 00427672 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 01:30 - 2011-01-18 11:53 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-04 08:31 - 2011-10-07 14:44 - 00002099 ____A C:\Users\UGO\Desktop\Lotus files - Shortcut.lnk
2012-07-04 08:31 - 2011-03-08 05:20 - 00001914 ____A C:\Users\UGO\Desktop\Menu Commerciale.lnk
2012-07-04 08:31 - 2011-02-03 08:43 - 00001867 ____A C:\Users\UGO\Desktop\Collegamento a Modulo Offerte - 2009 - TO.xltm.lnk
2012-07-04 08:31 - 2011-01-18 09:40 - 00001738 ____A C:\Users\UGO\Desktop\Commerciale - Shortcut.lnk
2012-07-04 04:13 - 2011-01-18 14:18 - 00002040 ___AH C:\Users\UGO\Documents\Default.rdp
2012-06-29 10:04 - 2011-01-20 10:44 - 00007854 ____A C:\Users\UGO\AppData\Roaming\Rim.Desktop.Exception.log
2012-06-29 08:25 - 2011-01-20 10:45 - 00110080 ____A C:\Users\UGO\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-27 13:45 - 2012-04-04 23:59 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-27 13:45 - 2011-06-18 09:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-26 14:13 - 2009-07-13 21:08 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-26 03:36 - 2012-06-26 03:35 - 00232445 ____A C:\Users\UGO\Downloads\Transfer Oil - Hose reel capacity calculator - REV6.xlsx
2012-06-25 08:51 - 2012-06-25 08:51 - 00179577 ____A C:\Users\UGO\Downloads\Transfer Oil - Hose reel capacity calculator - Calcolo capacità bobine - REV5 - Excel 2007.zip
2012-06-25 02:24 - 2012-06-25 02:24 - 00001439 ____A C:\Users\UGO\Downloads\TransferOil S.p.a..kml
2012-06-13 13:47 - 2012-06-13 13:47 - 00001764 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-13 13:33 - 2011-01-18 15:00 - 00002491 ____A C:\Users\Public\Desktop\Safari.lnk
2012-06-11 19:08 - 2012-07-11 01:36 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-11 01:20 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 01:20 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-07 09:05 - 2011-01-20 10:44 - 00011089 ____A C:\Users\UGO\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2012-06-05 22:06 - 2012-07-11 01:19 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 01:19 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 01:19 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 01:19 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 01:19 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 01:19 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-21 23:13 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 23:13 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 23:13 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 23:13 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 23:13 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 23:13 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 23:13 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 05:19 - 2012-06-21 23:12 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 05:15 - 2012-06-21 23:12 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 01:28 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 01:28 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 01:28 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 01:28 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 01:28 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 01:28 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 01:28 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 01:28 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 01:28 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 01:28 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 01:28 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 01:28 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 01:28 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 01:28 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 01:28 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 01:28 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 01:28 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 01:28 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 01:28 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 01:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 01:28 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 01:28 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 01:28 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 01:28 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 01:28 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 01:28 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 01:28 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 01:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-11 01:19 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 01:19 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 01:19 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 01:19 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 01:19 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 01:19 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 01:19 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 01:19 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 01:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-09 08:35 - 2012-05-09 08:36 - 04216832 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\System32\PCCSPTSP.TSP
2012-05-09 08:35 - 2012-05-09 08:36 - 03084288 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\SysWOW64\PCCSPTSP.TSP
2012-05-09 08:35 - 2012-05-09 08:36 - 00625664 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\System32\PCCSTUI.dll
2012-05-09 08:35 - 2012-05-09 08:36 - 00458752 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\SysWOW64\PCCSTUI.dll
2012-05-09 08:35 - 2012-05-09 08:36 - 00381952 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\System32\PCCSTPInstall.exe
2012-05-09 08:35 - 2012-05-09 08:36 - 00241664 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\SysWOW64\PCCSTPInstall.exe
2012-05-09 08:35 - 2012-05-09 08:36 - 00073216 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\System32\ST_Loggers.dll
2012-05-09 08:35 - 2012-05-09 08:36 - 00069632 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\SysWOW64\ST_Loggers.dll
2012-05-09 08:35 - 2012-05-09 08:36 - 00026112 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\System32\CACSTADecoder.dll
2012-05-09 08:35 - 2012-05-09 08:36 - 00025600 ____A (Panasonic System Networks Co., Ltd.) C:\Windows\SysWOW64\CACSTADecoder.dll
2012-05-09 04:31 - 2011-01-20 04:20 - 00029222 ____A C:\Windows\PFRO.log
2012-05-07 23:41 - 2012-03-26 08:50 - 00000071 ___AH C:\Windows\$MWinsetup$
2012-05-04 03:06 - 2012-06-12 23:40 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 03:00 - 2012-07-11 01:19 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-04 02:03 - 2012-06-12 23:40 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-12 23:40 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 01:59 - 2012-07-11 01:19 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-05-04 01:58 - 2012-05-04 01:58 - 00852904 ____A C:\Windows\Minidump\050412-16957-01.dmp
2012-05-04 01:58 - 2012-04-29 12:30 - 611994299 ____A C:\Windows\MEMORY.DMP
2012-04-30 21:40 - 2012-06-12 23:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-29 14:00 - 2011-10-31 11:50 - 00144220 ___AH C:\Windows\SysWOW64\mlfcache.dat
2012-04-29 12:31 - 2012-04-29 12:30 - 00442568 ____A C:\Windows\Minidump\042912-14804-01.dmp
2012-04-27 19:55 - 2012-06-12 23:39 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:41 - 2012-06-12 23:40 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-12 23:40 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-12 23:40 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 21:37 - 2012-06-12 23:40 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-12 23:40 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-12 23:40 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-12 23:40 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-12 23:40 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-12 23:40 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-18 12:09 - 2012-03-30 06:32 - 00000159 ____A C:\Users\UGO\Desktop\Da scaricare.txt
2012-04-18 10:56 - 2012-04-18 10:56 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2012-04-18 10:56 - 2012-04-18 10:56 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2012-04-15 12:35 - 2011-09-25 08:22 - 00000920 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3386819816-38492570-3848732783-1004UA.job
2012-04-15 12:35 - 2011-09-25 08:22 - 00000898 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3386819816-38492570-3848732783-1004Core.job
2012-04-15 07:16 - 2010-12-07 17:06 - 00138962 ____A C:\Windows\DirectX.log

ZeroAccess:
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\@
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\L
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\n
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\L\00000004.@
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\L\1afb2d56
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\L\201d3dde
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U\00000008.@
ZeroAccess:
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\@
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\L
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\L\00000004.@
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U\00000004.@
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U\000000cb.@
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U\80000000.@
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U\80000032.@
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}\U\80000064.@
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 10%
Total physical RAM: 7987.67 MB
Available physical RAM: 7113.5 MB
Total Pagefile: 7985.82 MB
Available Pagefile: 7109.36 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: (Windows7 OS) (Fixed) (Total:287.15 GB) (Free:144.87 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (Lenovo_Recovery) (Fixed) (Total:9.77 GB) (Free:1.92 GB) NTFS
3 Drive f: () (Removable) (Total:1.89 GB) (Free:1.89 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (SYSTEM_DRV) (Fixed) (Total:1.17 GB) (Free:0.48 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 1938 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1200 MB 1024 KB
Partition 2 Primary 287 GB 1201 MB
Partition 3 Primary 9 GB 288 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y SYSTEM_DRV NTFS Partition 1200 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Windows7 OS NTFS Partition 287 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E Lenovo_Reco NTFS Partition 9 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1938 MB 124 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 1938 MB Healthy
==================================================================================
==========================================================
Last Boot: 2011-09-12 03:42
======================= End Of Log ==========================
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba}
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba}
C:\Windows\assembly\GAC_32\Desktop.ini
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


Additional Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

FRST2.gif


When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.
 
First of all, thank you for your extremely appreciated help.
Here there is the FRST Fixlist log. The other step will follow later.
Boot on the infected laptop went fine. No issues that I can see, so far.

--------------------
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 10-07-2012 01
Ran by SYSTEM at 2012-07-11 20:07:40 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{f5bd2a03-ccbf-ded0-1919-809f891439ba} moved successfully.
C:\Users\UGO\AppData\Local\{f5bd2a03-ccbf-ded0-1919-809f891439ba} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

==== End of Fixlog ====
 
And here it is the Search.txt log.
Just one note: the Search.txt file wasn't saved on c:\ as per your instruction, but on the flash drive (in my case f:\). I trust this is not a big problem.
While you're here, from the log you've seen from my computer, can you approximately tell how did I got that infection? It would be helpful in order to prevent to repeat the same mistake and warn my colleagues. Thanks very much.
I wait for further instructions.
Thanks again.

----------

Farbar Recovery Scan Tool Version: 10-07-2012 01
Ran by SYSTEM at 2012-07-11 20:15:42
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======
 
Update: I realized now that the infected laptop in reality is not stable as I mentioned before. It still get the warning message and reboot after one minute. It has to do with MSE: if I disable the realtime protection the laptop stays on, if I enable the realtime protection, it crash.
 
Hello DMJ, I undestand you're all very busy with this Sirfef virus. I don't want to sound pushy, but the infected computer is my compnay laptop, and I got pressure from the top. Thanks.
 
It's usually rare for me to help with business cases. But, I'll stay with this one...

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
Thanks DMJ. I appreciate that you keep helping me. Here it is the fix log.txt:
Do you suggest to keep MSE real time disabled, or do you think I should turn it on and see if it crash again? Thanks.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 11-07-2012
Ran by SYSTEM at 2012-07-13 01:15:26 Run:2
Running from F:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====
 
Hang on...

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Thanks again. Here it's the comboFix log. Combofix went smooth, not troubles at all. Now computer seems stable. I'm posting from it. Can I restart MSE now? Can I use the PC now, or am I still infected? Thanks a lot.

ComboFix 12-07-13.01 - UGO 13/07/2012 14:38:00.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.39.1033.18.7988.6365 [GMT 2:00]
Eseguito da: c:\users\UGO\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Creato nuovo punto di ripristino
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
Q:\AUTORUN.INF
.
.
((((((((((((((((((((((((( Files Creati Da 2012-06-13 al 2012-07-13 )))))))))))))))))))))))))))))))))))
.
.
2012-07-13 12:50 . 2012-07-13 12:50 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B8EB5344-C892-4876-A431-7B8897BD1AFA}\offreg.dll
2012-07-13 12:47 . 2012-07-13 12:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-13 12:34 . 2012-05-30 19:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B8EB5344-C892-4876-A431-7B8897BD1AFA}\mpengine.dll
2012-07-12 23:54 . 2012-05-30 19:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-11 23:26 . 2012-07-11 23:26 -------- d-----w- C:\FRST
2012-07-11 21:41 . 2012-07-11 21:41 328704 ----a-w- c:\windows\system32\services.exe.283E6880D7F68B32
2012-07-11 13:17 . 2012-07-11 13:17 328704 ----a-w- c:\windows\system32\services.exe.5FCC5875DB27FD20
2012-07-11 13:10 . 2012-07-11 13:10 328704 ----a-w- c:\windows\system32\services.exe.55C5AA3955956BB8
2012-07-11 12:54 . 2012-07-11 12:54 328704 ----a-w- c:\windows\system32\services.exe.4B28D51544D67A13
2012-07-11 11:46 . 2012-07-11 11:46 328704 ----a-w- c:\windows\system32\services.exe.C17469AFE8F9870B
2012-07-11 11:42 . 2012-07-11 11:42 328704 ----a-w- c:\windows\system32\services.exe.5114535686085502
2012-07-11 11:37 . 2012-07-11 11:37 328704 ----a-w- c:\windows\system32\services.exe.059826B6FD30CD9F
2012-07-11 11:33 . 2012-07-11 11:33 328704 ----a-w- c:\windows\system32\services.exe.52B0950077B0D9CC
2012-07-11 11:29 . 2012-07-11 11:29 328704 ----a-w- c:\windows\system32\services.exe.70751A0CF9D74777
2012-07-11 11:25 . 2012-07-11 11:25 328704 ----a-w- c:\windows\system32\services.exe.B4FDF77606E48FE1
2012-07-11 11:21 . 2012-07-11 11:21 328704 ----a-w- c:\windows\system32\services.exe.3286763A23406C93
2012-07-11 11:16 . 2012-07-11 11:16 328704 ----a-w- c:\windows\system32\services.exe.864ABD225C615FFD
2012-07-11 11:12 . 2012-07-11 11:12 328704 ----a-w- c:\windows\system32\services.exe.2F4E36F7AC74A578
2012-07-11 11:04 . 2012-07-11 11:04 328704 ----a-w- c:\windows\system32\services.exe.DD4189DE14FE1351
2012-07-11 10:59 . 2012-07-11 10:59 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6124890-981C-4F63-8185-1BF8A89D871F}\gapaengine.dll
2012-07-11 10:59 . 2012-07-11 10:59 -------- d-----w- c:\users\UGO\AppData\Roaming\smkits
2012-07-11 10:12 . 2012-07-11 10:12 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-11 10:11 . 2012-07-11 10:12 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-11 09:36 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-09 10:13 . 2012-07-09 10:13 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-06-22 07:13 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 07:13 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 07:13 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 07:13 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 07:13 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-22 07:13 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 07:13 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 07:12 . 2012-06-02 13:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 07:12 . 2012-06-02 13:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-15 16:03 . 2012-06-15 16:03 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-06-13 21:46 . 2012-06-13 21:46 -------- d-----w- c:\program files\iPod
2012-06-13 21:46 . 2012-06-13 21:47 -------- d-----w- c:\program files\iTunes
2012-06-13 21:37 . 2012-06-13 21:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugin\npqtplugin7.dll
2012-06-13 21:37 . 2012-06-13 21:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugin\npqtplugin6.dll
2012-06-13 21:37 . 2012-06-13 21:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugin\npqtplugin5.dll
2012-06-13 21:37 . 2012-06-13 21:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugin\npqtplugin4.dll
2012-06-13 21:37 . 2012-06-13 21:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugin\npqtplugin3.dll
2012-06-13 21:37 . 2012-06-13 21:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugin\npqtplugin2.dll
2012-06-13 21:37 . 2012-06-13 21:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugin\npqtplugin.dll
2012-06-13 21:36 . 2012-06-13 21:37 -------- d-----w- c:\program files (x86)\QuickTime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 21:45 . 2012-04-05 07:59 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-27 21:45 . 2011-06-18 17:33 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-09 16:35 . 2012-05-09 16:36 69632 ----a-w- c:\windows\SysWow64\ST_Loggers.dll
2012-05-09 16:35 . 2012-05-09 16:36 458752 ----a-w- c:\windows\SysWow64\PCCSTUI.dll
2012-05-09 16:35 . 2012-05-09 16:36 73216 ----a-w- c:\windows\system32\ST_Loggers.dll
2012-05-09 16:35 . 2012-05-09 16:36 625664 ----a-w- c:\windows\system32\PCCSTUI.dll
2012-05-09 16:35 . 2012-05-09 16:36 4216832 ----a-w- c:\windows\system32\PCCSPTSP.TSP
2012-05-09 16:35 . 2012-05-09 16:36 381952 ----a-w- c:\windows\system32\PCCSTPInstall.exe
2012-05-09 16:35 . 2012-05-09 16:36 3084288 ----a-w- c:\windows\SysWow64\PCCSPTSP.TSP
2012-05-09 16:35 . 2012-05-09 16:36 26112 ----a-w- c:\windows\system32\CACSTADecoder.dll
2012-05-09 16:35 . 2012-05-09 16:36 25600 ----a-w- c:\windows\SysWow64\CACSTADecoder.dll
2012-05-09 16:35 . 2012-05-09 16:36 241664 ----a-w- c:\windows\SysWow64\PCCSTPInstall.exe
2012-05-04 11:06 . 2012-06-13 07:40 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 07:40 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 07:40 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-13 07:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-13 07:39 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-13 07:40 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-13 07:40 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-13 07:40 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 05:37 . 2012-06-13 07:40 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 05:37 . 2012-06-13 07:40 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-24 05:37 . 2012-06-13 07:40 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-13 07:40 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-04-24 04:36 . 2012-06-13 07:40 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-04-24 04:36 . 2012-06-13 07:40 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-04-18 18:56 . 2012-04-18 18:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 18:56 . 2012-04-18 18:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* I valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\UGO\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
"Facebook Update"="c:\users\UGO\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"Spotify Web Helper"="c:\users\UGO\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-05 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2010-05-03 112152]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Client Access Service"="c:\program files (x86)\IBM\Client Access\cwbsvstr.exe" [2010-01-15 14336]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Communication Assistant.lnk - c:\program files (x86)\Panasonic\Communication Assistant\Communication Assistant.exe [2011-11-21 4427776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
R1 nwhdjoqm;nwhdjoqm;c:\windows\system32\drivers\nwhdjoqm.sys [x]
R1 xajunjhw;xajunjhw;c:\windows\system32\drivers\xajunjhw.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-09-28 54824]
R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [2009-10-07 271640]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
R3 LVUVC64;QuickCam for Notebooks Pro(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2010-12-08 31152]
R3 qcusbnetlno2k;Gobi 2000 USB-NDIS miniport(05C6-9205);c:\windows\system32\DRIVERS\qcusbnetlno2k.sys [2010-04-26 243712]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-09-30 126392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-18 1255736]
R4 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-09-30 169408]
R4 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2010-06-16 23664]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [2008-05-12 15400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe [2007-09-03 81920]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
S2 Lotus Notes Diagnostics;Diagnostica Lotus Notes;c:\program files (x86)\IBM\Lotus\Notes\nsd.exe [2010-08-11 3417480]
S2 QDLService2kLenovo;Qualcomm Gobi 2000 Download Service (Lenovo);c:\program files (x86)\QUALCOMM\QDLService2k\QDLService2kLenovo.exe [2010-04-26 331512]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-06-19 3048136]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-09-30 12728]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-05-03 2533400]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-12-15 163072]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-05-25 35104]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-06-30 292864]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2010-06-22 295088]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe [2007-09-03 2002944]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 158976]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-02 271872]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-03-18 7680512]
S3 qcfilterlno2k;Gobi 2000 USB Composite Device Filter Driver(05C6-9205);c:\windows\system32\DRIVERS\qcfilterlno2k.sys [2010-04-26 6400]
S3 qcusbserlno2k;Gobi 2000 USB Device for Legacy Serial Communication(05C6-9205);c:\windows\system32\DRIVERS\qcusbserlno2k.sys [2010-04-26 121600]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-09-24 41536]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-07-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3386819816-38492570-3848732783-1004Core.job
- c:\users\UGO\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-25 21:45]
.
2012-07-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3386819816-38492570-3848732783-1004UA.job
- c:\users\UGO\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-25 21:45]
.
2011-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3386819816-38492570-3848732783-1004Core.job
- c:\users\UGO\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-21 18:29]
.
2011-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3386819816-38492570-3848732783-1004UA.job
- c:\users\UGO\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-21 18:29]
.
2011-01-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-12-13 21:55]
.
2011-09-25 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-12-13 21:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2010-07-02 380776]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-07-27 62312]
"AcWin7Hlpr"="c:\program files (x86)\Lenovo\Access Connections\AcTBenabler.exe" [2011-10-20 33344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-11-29 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-11-29 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-11-29 417304]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-15 307768]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-07-27 69560]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"combofix"="c:\combofix\CF22467.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Scansione supplementare -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.it/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&sporta in Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: I&nvia a OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.150.1 8.8.8.8 8.8.4.4
TCP: Interfaces\{0291AE76-AC09-4034-BA8E-42A2A0AB73B4}: NameServer = 83.224.70.77 83.224.70.54
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxp://as400e/dwa85W.cab
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
DPF: {89A32C64-6176-4D10-BCA3-10B0079818FA} - hxxps://192.168.150.189:3443/webconsole/RIMWebComponents.cab
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\program files (x86)\IBM\Lotus\Notes\nslsvice.exe
c:\program files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Lenovo\Access Connections\AcSvc.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe
.
**************************************************************************
.
Ora fine scansione: 2012-07-13 14:58:36 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2012-07-13 12:58
.
Pre-Run: 156.007.759.872 bytes free
Post-Run: 157.440.249.856 bytes free
.
- - End Of File - - B5731734CA2523184DD1778F76130A83
 
I looked in other posts, and I undestand that probably there are still some steps to go. One question: can I use the laptop in the meantime (email, excel files, ....) or is it better to keep it on hold? Thanks.
 
Should be fine now.

Just run this scan for remnants. Report back when you can...

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Hiya! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
Thanks again.
I did all the steps you indicated.
CSR - OK
OTC - OK
TFC - OK
RSC - OK, below it's the log.

Computer is running stable. I have the feeling it's also faster, but I can't say it for sure... maybe I'm just influnced by the fact that it's wokring fine, while a few days ago I thought it was gone.

I know it's not an easy question, and that I've asked it before, but I woud appreciate if you could tell me if you understood how could have got that virus. Thanks.

Also, am I clean now?

Thanks for all your support. Yesterday I followed your link and I did a small donation to support your help to many of us.

--------

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 31
Java version out of Date!
Google Chrome 16.0.912.63
Google Chrome 16.0.912.75
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 
I maybe spot something that it's not working as it should.
I'm talking abou the icons and the notifications that appears on the taskbar near the clock.
I remember this one was showing few icons always near the clock such as the network and the battery, and the clicking on the triange I couls see few more. Now if I click I can see only the icon of the MSE and the customize link. Even if I click it I can see the list which - accordingly to the icons I can see, seems corrupted.
Was the description understandable?
Have you seen this before, and if yes, does it have to do with the virus I had?
Can we fix it?
Thanks.
 
May have to do with that. I don't see a big issue in the Notifications issue, because the "Notifications Cache" is automatically cleared when we do fixes.

Now, for all intents and purposes, I think we can tackle that problem. But, I need more of a summary about it. Are you saying that the basic icons such as Volume, Network, Action Center, etc. are missing? Only MSE and the customize button available? Just making sure. That is a sign of corruption, yes, but I need to know for sure.

Thanks for donation. It is appreciated. Donations don't do a lot, but they do provide a nice beverage or other small reward that I always love! :)

How you could have gotten the virus? There are a lot of ways viruses/malware can be transmitted. But, these days, malware is commonly transmitted due to the lack of protection (kind of like real viruses that humans deal with). Without washing our hands, we can contract viruses easily. By washing our hands, we can further protect ourselves - not 100%, but at least better than not washing at all.

We see computer viruses the same way. There is no true 100% protection, but having inadequate malware protection on your computer (60% of all computer users), viruses/malware is easily transmitted.

Most of the vectors taken by malware today include browser exploits or iFrame exploits.
 
[FONT=Arial]Thanks for your assistance. Yes, you're right, the issue with the notifications has to do with the cache. After I'm restarting all the programs I used to run, I can see the icons returning as they were. Thanks also for the explanation about infections. [/FONT]

[FONT=Arial]Can we consider the case closed?[/FONT]

[FONT=Arial]Assuming it will be a yes, let me say a big thank you for rescuing me from this mess, and allowing me to avoid to format the whole thing. Thanks... if you'll be in Italy we'll have a drink together![/FONT]

[FONT=Arial]Ciao.[/FONT]
 
Status
Not open for further replies.

Similar threads

G
Computer boots to Windows once only when moving RAM to a different slot. Also have display issues
Replies
6
Views
3K
Kshipper
Kshipper
N
Apple Silicon Macs review roundup: So it begins
Replies
12
Views
3K
sreams
S
Shawn Knight
That SSC Tuatara world record video was misleading
Replies
18
Views
4K
Athlonite
Athlonite

Latest posts

Back