ho fatto una scansione del pc con Avira e mi ha trovato un trojan, Trash.Gen che sostiene essere nella Source "C:\\Windows\$NtServicePackUninstall$\ils.dll"
Tra l'altro in 'quarantena' mi ha anche messo un altro file: Contains recognition pattern of the SPR/PSW.RAS.A.3 program che ubica in source C:\System Volume Information\_restore(17BAAA87-184C-47DB-BF52-49BB5C56C4C6)\RP182\A0043790.exe
vi posto di seguito il report di Avira e lo scan fatto con HijackThis
report Avira:
Scanning for 1180455 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name:
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 18/11/2008 08:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 07:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 12:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 07:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 11:30:36
ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 24/12/2008 11:22:04
ANTIVIR2.VDF : 7.1.1.88 726528 Bytes 08/01/2009 11:22:08
ANTIVIR3.VDF : 7.1.1.99 116224 Bytes 12/01/2009 11:22:09
Engineversion : 8.2.0.54
AEVDF.DLL : 8.1.0.6 102772 Bytes 14/10/2008 10:05:56
AESCRIPT.DLL : 8.1.1.24 340348 Bytes 12/01/2009 11:22:21
AESCN.DLL : 8.1.1.5 123251 Bytes 07/11/2008 15:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 04/11/2008 13:58:38
AEPACK.DLL : 8.1.3.5 393588 Bytes 12/01/2009 11:22:19
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/01/2009 11:22:18
AEHEUR.DLL : 8.1.0.78 1532280 Bytes 12/01/2009 11:22:17
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/01/2009 11:22:13
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/01/2009 11:22:12
AEEMU.DLL : 8.1.0.9 393588 Bytes 14/10/2008 10:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/01/2009 11:22:10
AEBB.DLL : 8.1.0.3 53618 Bytes 14/10/2008 10:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 08:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 09:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 31/07/2008 12:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 11:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 08:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 12:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 17:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 12:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 12:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 13:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 13:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\programmi\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: quarantine
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,
Start of the scan: lunedì 12 gennaio 2009 13:12
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'E_S30RP1.EXE' - '1' Module(s) have been scanned
Scan process 'Crypserv.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'E_FATIBVE.EXE' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'VProperty.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hpotdd01.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb09.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '51' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{17BAAA87-184C-47DB-B5F2-49BB5C56C4C6}\RP182\A0043790.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.XPKey program
[DETECTION] Contains recognition pattern of the SPR/PSW.RAS.A.3 program
[NOTE] The file was moved to '499b387e.qua'!
C:\WINDOWS\$NtServicePackUninstall$\ils.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49de3907.qua'!
Begin scan in 'D:\'
End of the scan: lunedì 12 gennaio 2009 13:47
Used time: 35:15 Minute(s)
The scan has been done completely.
3923 Scanning directories
256162 Files were scanned
3 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
256158 Files not concerned
1308 Archives were scanned
1 Warnings
2 Notes
report di HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.04.33, on 12/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S8C.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9344049432
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\hpdj.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 6698 bytes
A questo punto ho fatto una scansione anche con Trojan Remover alla fine della quale mi scrive "No active malicious files were found and no changes were made"
eccola:
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.5.2555. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 14.11.10 12 gen 2009
Using Database v7227
Operating System: Windows XP SP2 [Windows XP Professional Service Pack 2 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Administrator\Dati applicazioni\Simply Super Software\Trojan Remover\
Database directory: C:\Programmi\Trojan Remover\
Logfile directory: C:\Documents and Settings\Administrator\Documenti\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Programmi\Trojan Remover\
Running with Administrator privileges
************************************************************
The following Anti-Malware program(s) are loaded:
[AV Warnings are suppressed]
Avira AntiVir
************************************************************
************************************************************
14.11.10: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS
************************************************************
14.11.10: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS
************************************************************
14.11.10: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.
************************************************************
14.11.11: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1034752 bytes
Created: 31/08/2001
Modified: 19/08/2004
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
25088 bytes
Created: 31/08/2001
Modified: 19/08/2004
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
515584 bytes
Created: 31/08/2001
Modified: 19/08/2004
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
NvQTwk,NvCplDaemon [file not found to scan]
--------------------
Value Name: nwiz
Value Data: nwiz.exe /install
C:\WINDOWS\system32\nwiz.exe
-R- 372736 bytes
Created: 01/08/2008
Modified: 06/11/2002
Company: NVIDIA Corporation
--------------------
Value Name: HP Software Update
Value Data: "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe
49152 bytes
Created: 25/06/2003
Modified: 25/06/2003
Company: Hewlett-Packard
--------------------
Value Name: HP Component Manager
Value Data: "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
233472 bytes
Created: 23/10/2003
Modified: 23/10/2003
Company: Hewlett-Packard Company
--------------------
Value Name: HPDJ Taskbar Utility
Value Data: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
176128 bytes
Created: 01/08/2008
Modified: 01/09/2003
Company: HP
--------------------
Value Name: DeviceDiscovery
Value Data: C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
229437 bytes
Created: 21/05/2003
Modified: 21/05/2003
Company: Hewlett-Packard
--------------------
Value Name: SunJavaUpdateSched
Value Data: "C:\Programmi\Java\jre6\bin\jusched.exe"
C:\Programmi\Java\jre6\bin\jusched.exe
136600 bytes
Created: 17/12/2008
Modified: 17/12/2008
Company: Sun Microsystems, Inc.
--------------------
Value Name: USBDetector
Value Data: C:\USBStorage\USBDetector.exe
C:\USBStorage\USBDetector.exe [file not found to scan]
--------------------
Value Name: ToUcamVProperty
Value Data: C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
131072 bytes
Created: 29/10/2008
Modified: 02/04/2003
Company: Philips PC Cameras
--------------------
Value Name: Adobe Reader Speed Launcher
Value Data: "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
39792 bytes
Created: 15/10/2008
Modified: 15/10/2008
Company: Adobe Systems Incorporated
--------------------
Value Name: avgnt
Value Data: "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
266497 bytes
Created: 12/01/2009
Modified: 12/06/2008
Company: Avira GmbH
--------------------
Value Name: TrojanScanner
Value Data: C:\Programmi\Trojan Remover\Trjscan.exe /boot
C:\Programmi\Trojan Remover\Trjscan.exe
1230728 bytes
Created: 12/01/2009
Modified: 10/12/2008
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: CTFMON.EXE
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 31/08/2001
Modified: 19/08/2004
Company: Microsoft Corporation
--------------------
Value Name: MSMSGS
Value Data: "C:\Programmi\Messenger\msmsgs.exe" /background
C:\Programmi\Messenger\msmsgs.exe
1667584 bytes
Created: 01/08/2008
Modified: 19/08/2004
Company: Microsoft Corporation
--------------------
Value Name: EPSON Stylus DX5000 Series
Value Data: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S8C.tmp" /EF "HKCU"
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE
139264 bytes
Created: 01/08/2008
Modified: 22/09/2006
Company: SEIKO EPSON CORPORATION
--------------------
************************************************************
14.11.14: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
************************************************************
14.11.14: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------
************************************************************
14.11.14: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\System32\logon.scr
C:\WINDOWS\System32\logon.scr
220672 bytes
Created: 31/08/2001
Modified: 19/08/2004
Company: Microsoft Corporation
--------------------
************************************************************
14.11.14: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
C:\Programmi\Outlook Express\setup50.exe
73728 bytes
Created: 01/08/2008
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: {7790769C-0471-11d2-AF11-00C04FA35D02}
Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
C:\Programmi\Outlook Express\setup50.exe
73728 bytes
Created: 01/08/2008
Modified: 19/08/2004
Company: Microsoft Corporation
----------
************************************************************
14.11.15: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------
Key: wuauserv
Path: C:\WINDOWS\System32\wuauserv.dll
C:\WINDOWS\System32\wuauserv.dll
6656 bytes
Created: 01/08/2008
Modified: 19/08/2004
Company: Microsoft Corporation
--------------------
************************************************************
14.11.18: Scanning ----- SERVICES REGISTRY KEYS -----
Key: AmdK7
ImagePath: System32\DRIVERS\amdk7.sys
C:\WINDOWS\System32\DRIVERS\amdk7.sys
41472 bytes
Created: 15/12/2008
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: AntiVirScheduler
ImagePath: "C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe"
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
68865 bytes
Created: 12/01/2009
Modified: 15/10/2008
Company: Avira GmbH
----------
Key: AntiVirService
ImagePath: "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe"
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
151297 bytes
Created: 12/01/2009
Modified: 15/10/2008
Company: Avira GmbH
----------
Key: ASPI
ImagePath: \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
C:\WINDOWS\System32\DRIVERS\ASPI32.sys
16512 bytes
Created: 14/12/2008
Modified: 17/07/2002
Company: Adaptec
----------
Key: avgio
ImagePath: \??\C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgio.sys
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgio.sys
11840 bytes
Created: 12/01/2009
Modified: 27/02/2007
Company: Avira GmbH
----------
Key: avgntflt
ImagePath: \??\C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
52032 bytes
Created: 12/01/2009
Modified: 20/05/2008
Company: Avira GmbH
----------
Key: avipbb
ImagePath: system32\DRIVERS\avipbb.sys
C:\WINDOWS\system32\DRIVERS\avipbb.sys
75072 bytes
Created: 12/01/2009
Modified: 30/10/2008
Company: Avira GmbH
----------
Key: camvid20
ImagePath: System32\DRIVERS\camdrv21.sys
C:\WINDOWS\System32\DRIVERS\camdrv21.sys
223232 bytes
Created: 01/08/2008
Modified: 17/08/2001
Company: Microsoft Corporation
----------
Key: Crypkey License
ImagePath: crypserv.exe
C:\WINDOWS\system32\crypserv.exe
69632 bytes
Created: 29/08/2008
Modified: 01/03/2006
Company: CrypKey (Canada) Ltd.
----------
Key: EPSON_PM_RPCV4_01
ImagePath: C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S30RP1.EXE
102400 bytes
Created: 01/08/2008
Modified: 18/04/2006
Company: SEIKO EPSON CORPORATION
----------
Key: hpdj
ImagePath: C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\hpdj.exe -servicerunning=true -uninstall=hp deskjet 3600 series -product=
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\hpdj.exe
266240 bytes
Created: 01/08/2008
Modified: 01/09/2003
Company: HP
----------
Key: JavaQuickStarterService
ImagePath: "C:\Programmi\Java\jre6\bin\jqs.exe" -service -config "C:\Programmi\Java\jre6\lib\deploy\jqs\jqs.conf"
C:\Programmi\Java\jre6\bin\jqs.exe
152984 bytes
Created: 17/12/2008
Modified: 17/12/2008
Company: Sun Microsystems, Inc.
----------
Key: ms_mpu401
ImagePath: system32\drivers\msmpu401.sys
C:\WINDOWS\system32\drivers\msmpu401.sys
2944 bytes
Created: 01/08/2008
Modified: 17/08/2001
Company: Microsoft Corporation
----------
Key: NetworkX
ImagePath: \SystemRoot\system32\ckldrv.sys
C:\WINDOWS\system32\ckldrv.sys
31846 bytes
Created: 29/08/2008
Modified: 10/01/2006
Company: [no info]
----------
Key: ose
ImagePath: C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE
C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE
89136 bytes
Created: 28/07/2003
Modified: 28/07/2003
Company: Microsoft Corporation
----------
Key: rtl8029
ImagePath: System32\DRIVERS\RTL8029.SYS
C:\WINDOWS\System32\DRIVERS\RTL8029.SYS
19017 bytes
Created: 01/08/2008
Modified: 17/08/2001
Company: Realtek Semiconductor Corporation
----------
Key: Secdrv
ImagePath: System32\DRIVERS\secdrv.sys
C:\WINDOWS\System32\DRIVERS\secdrv.sys
27440 bytes
Created: 31/08/2001
Modified: 31/08/2001
Company: [no info]
----------
Key: ssmdrv
ImagePath: system32\DRIVERS\ssmdrv.sys
C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
28352 bytes
Created: 12/01/2009
Modified: 01/03/2007
Company: Avira GmbH
----------
Key: SwPrv
ImagePath: C:\WINDOWS\System32\dllhost.exe /Processid:{323D9A61-532D-43B1-B021-C6ECC388A22F}
C:\WINDOWS\System32\dllhost.exe
5120 bytes
Created: 31/08/2001
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: usnjsvc
ImagePath: "C:\Programmi\MSN Messenger\usnsvc.exe"
C:\Programmi\MSN Messenger\usnsvc.exe
97136 bytes
Created: 19/01/2007
Modified: 19/01/2007
Company: Microsoft Corporation
----------
Key: viaagp
ImagePath: System32\DRIVERS\viaagp.sys
C:\WINDOWS\System32\DRIVERS\viaagp.sys
42240 bytes
Created: 01/08/2008
Modified: 03/08/2004
Company: Microsoft Corporation
----------
Key: VIAudio
ImagePath: system32\drivers\viaudio.sys
C:\WINDOWS\system32\drivers\viaudio.sys
-R- 59264 bytes
Created: 01/08/2008
Modified: 24/07/2002
Company: VIA Technologies, Inc.
----------
************************************************************
14.11.23: Scanning -----VXD ENTRIES-----
************************************************************
14.11.23: Scanning ----- WINLOGON\NOTIFY DLLS -----
************************************************************
14.11.24: Scanning ----- CONTEXTMENUHANDLERS -----
Key: EPPShellEx
CLSID: {509FE1AF-ADD5-49EC-BC55-7CF81FD16E78}
Path: C:\Programmi\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll
C:\Programmi\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll
69632 bytes
Created: 01/08/2008
Modified: 13/04/2006
Company: SEIKO EPSON CORPORATION
----------
Key: Shell Extension for Malware scanning
CLSID: {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
Path: C:\Programmi\Avira\AntiVir PersonalEdition Classic\shlext.dll
C:\Programmi\Avira\AntiVir PersonalEdition Classic\shlext.dll
65793 bytes
Created: 12/01/2009
Modified: 12/06/2008
Company: Avira GmbH
----------
Key: WinRAR
CLSID: {B41DB860-8EE4-11D2-9906-E49FADC173CA}
Path: C:\Programmi\WinRAR\rarext.dll
C:\Programmi\WinRAR\rarext.dll
129536 bytes
Created: 27/08/2008
Modified: 20/09/2007
Company: [no info]
----------
************************************************************
14.11.24: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key: {F9DB5320-233E-11D1-9F84-707F02C10627}
File: C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
372736 bytes
Created: 10/05/2007
Modified: 10/05/2007
Company: Adobe Systems, Inc.
----------
************************************************************
14.11.24: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BHO: C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
62080 bytes
Created: 22/10/2006
Modified: 22/10/2006
Company: Adobe Systems Incorporated
----------
Key: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
BHO: C:\Programmi\Java\jre6\bin\ssv.dll
C:\Programmi\Java\jre6\bin\ssv.dll
320920 bytes
Created: 17/12/2008
Modified: 17/12/2008
Company: Sun Microsystems, Inc.
----------
Key: {DBC80044-A445-435b-BC74-9C25C1C588A9}
BHO: C:\Programmi\Java\jre6\bin\jp2ssv.dll
C:\Programmi\Java\jre6\bin\jp2ssv.dll
34816 bytes
Created: 17/12/2008
Modified: 17/12/2008
Company: Sun Microsystems, Inc.
----------
Key: {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
BHO: C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
73728 bytes
Created: 17/12/2008
Modified: 17/12/2008
Company: Sun Microsystems, Inc.
----------
Key: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
BHO: C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
368640 bytes
Created: 01/08/2008
Modified: 21/02/2005
Company: SEIKO EPSON CORPORATION
----------
************************************************************
14.11.25: Scanning ----- SHELLSERVICEOBJECTS -----
************************************************************
14.11.25: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
************************************************************
14.11.25: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.
************************************************************
14.11.25: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank or does not exist
************************************************************
14.11.26: Scanning ----- SECURITY PROVIDER DLLS -----
************************************************************
14.11.26: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini
-HS- 84 bytes
Created: 01/08/2008
Modified: 01/08/2008
Company: [no info]
--------------------
************************************************************
No User Startup Groups were located to check
************************************************************
14.11.26: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan
************************************************************
14.11.26: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----
************************************************************
14.11.26: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Wallpaper1.bmp
2359350 bytes
Created: 01/08/2008
Modified: 02/12/2008
Company: [no info]
----------
Web Desktop Wallpaper: %USERPROFILE%\Documenti\Immagini\sfondo_autunno_vista_style.jpg
C:\Documents and Settings\Administrator\Documenti\Immagini\sfondo_autunno_vista_style.jpg
457442 bytes
Created: 22/09/2008
Modified: 22/09/2008
Company: [no info]
----------
Checks for rogue DNS NameServers completed
----------
Additional checks completed
************************************************************
14.11.27: Scanning ----- RUNNING PROCESSES -----
C:\WINDOWS\System32\smss.exe
--------------------
C:\WINDOWS\system32\csrss.exe
--------------------
C:\WINDOWS\system32\winlogon.exe
--------------------
C:\WINDOWS\system32\services.exe
--------------------
C:\WINDOWS\system32\lsass.exe
--------------------
C:\WINDOWS\system32\svchost.exe
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
--------------------
C:\WINDOWS\system32\spoolsv.exe
--------------------
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe - file already scanned
--------------------
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe - file already scanned
--------------------
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe - file already scanned
--------------------
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe - file already scanned
--------------------
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe - file already scanned
--------------------
C:\Programmi\Java\jre6\bin\jusched.exe - file already scanned
--------------------
C:\PROGRA~1\PHILIP~1\VProperty.exe - file already scanned
--------------------
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe - file already scanned
--------------------
C:\WINDOWS\system32\ctfmon.exe - file already scanned
--------------------
C:\Programmi\Messenger\msmsgs.exe - file already scanned
--------------------
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE - file already scanned
--------------------
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe - file already scanned
--------------------
C:\WINDOWS\system32\crypserv.exe - file already scanned
--------------------
C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S30RP1.EXE - file already scanned
--------------------
C:\Programmi\Java\jre6\bin\jqs.exe - file already scanned
--------------------
C:\WINDOWS\System32\nvsvc32.exe
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\wbem\wmiapsrv.exe
--------------------
C:\WINDOWS\System32\alg.exe
--------------------
C:\WINDOWS\system32\wuauclt.exe
--------------------
C:\Programmi\MSN Messenger\msnmsgr.exe
--------------------
C:\Programmi\MSN Messenger\usnsvc.exe - file already scanned
--------------------
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
--------------------
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avcenter.exe
--------------------
C:\Programmi\Internet Explorer\iexplore.exe
--------------------
C:\Documents and Settings\Administrator\Dati applicazioni\Simply Super Software\Trojan Remover\odeB.exe
FileSize: 2884472
[This is a Trojan Remover component]
--------------------
************************************************************
14.11.32: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file
************************************************************
14.11.32: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file
************************************************************
14.11.32: Checking HOSTS file
No malicious entries were found in the HOSTS file
************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.virgilio.it/
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.google.com
************************************************************
=== NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES ===
Scan completed at: 14.11.32 12 gen 2009
Total Scan time: 00.00.21
************************************************************
....a questo punto attendo un vostro parere