Dialer maledetto

[zena]

niente, come non detto.... si è ricreato nuovamente.... con un altro nome, ma sempre con gli stessi effetti... mi disconnette dopo 10 minuti! a questo punto servono altre soluzioni visto che quelle adottate finora lo hanno eliminato solo momentaneamente!
hai altri consigli??
grazie!

[Luke57]

Ciao, reinserisci un log di systemscan.

[zena]

ok...eccolo:

systemscan - http://www.suspectfile.com - ver. 2.0.23

Date: 26/02/2007
Time: 19.04.32,04

Output limited to:
-Recent files
-Registry Run Keys
-Running Services
-Not Running Services
-Device Driver Services
-Svchost.exe instances
-Loaded Dlls
-Alternate Data Sreams
-Encrypted Files
-Hidden objects
-Suspicious Files

-------------Users folders -------------

Directory di C:\documents and settings

10/02/2007 18.31 <DIR> Default User
10/02/2007 18.31 <DIR> All Users
10/02/2007 11.42 <DIR> NetworkService
10/02/2007 11.42 <DIR> LocalService
10/02/2007 11.43 <DIR> Fedo
18/02/2007 14.03 <DIR> Administrator

-------------Recent files (60 days) -------------
NOTE: searched only in C:, C:\WINDOWS, C:\WINDOWS\system32, C:\Programmi\File comuni, C:\WINDOWS\temp



Directory di C:\


10/02/2007 04.17 <DIR> _RESTORE
10/02/2007 04.12 <DIR> WINDOWS
13/02/2007 14.26 <DIR> Giochi
10/02/2007 17.02 <DIR> Cazzate
10/02/2007 05.00 <DIR> Documents and Settings
10/02/2007 04.31 <DIR> $WIN_NT$.~BT
10/02/2007 04.32 <DIR> $WIN_NT$.~LS
10/02/2007 11.36 <DIR> Programmi
10/02/2007 04.39 <DIR> user~tmp.@01
26/02/2007 19.04 <DIR> suspectfile
10/02/2007 04.38 <DIR> undo
10/02/2007 04.28 0 CONFIG.BAK
10/02/2007 04.23 529 SCANDISK.LOG
10/02/2007 19.51 80 FilterLog.log
11/02/2007 15.40 0 DBS.TXT
10/02/2007 04.28 0 CONFIG.SYS


Directory di C:\WINDOWS


10/02/2007 04.12 <DIR> SYSTEM
10/02/2007 04.13 <DIR> COMMAND
10/02/2007 04.13 <DIR> OPTIONS
10/02/2007 04.15 <DIR> UPGINFS
10/02/2007 04.15 <DIR> HELP
10/02/2007 04.15 <DIR> SYSTEM32
10/02/2007 04.15 <DIR> MSAGENT
10/02/2007 04.15 <DIR> CURSORS
10/02/2007 04.15 <DIR> JAVA
10/02/2007 04.15 <DIR> UPGDLLS
10/02/2007 11.36 <DIR> WEB
10/02/2007 04.15 <DIR> DRWATSON
10/02/2007 04.15 <DIR> MEDIA
10/02/2007 04.15 <DIR> PCHEALTH
10/02/2007 04.16 <DIR> TWAIN_32
10/02/2007 04.16 <DIR> CONFIG
10/02/2007 04.16 <DIR> SAMPLES
10/02/2007 04.17 <DIR> TEMP
10/02/2007 04.32 <DIR> MDMUPGLG
10/02/2007 04.26 <DIR> Offline Web Pages
10/02/2007 04.28 <DIR> All Users
10/02/2007 04.30 <DIR> setup
10/02/2007 04.39 <DIR> repair
10/02/2007 04.39 <DIR> addins
10/02/2007 04.39 <DIR> Connection Wizard
10/02/2007 04.39 <DIR> Driver Cache
10/02/2007 04.39 <DIR> security
10/02/2007 04.39 <DIR> msapps
10/02/2007 04.39 <DIR> AppPatch
10/02/2007 04.39 <DIR> Debug
10/02/2007 04.39 <DIR> Resources
10/02/2007 04.39 <DIR> Provisioning
10/02/2007 04.39 <DIR> mui
10/02/2007 04.39 <DIR> WinSxS
10/02/2007 04.39 <DIR> ime
10/02/2007 04.39 <DIR> PeerNet
10/02/2007 04.39 <DIR> ehome
10/02/2007 12.05 <DIR> Motorola
10/02/2007 11.49 <DIR> Microsoft.NET
10/02/2007 11.42 <DIR> SoftwareDistribution
10/02/2007 11.42 <DIR> Prefetch
10/02/2007 11.35 <DIR> srchasst
10/02/2007 11.34 <DIR> Registration
10/02/2007 11.42 811.101 setuplog.txt
10/02/2007 11.41 156.164 setupact.log
10/02/2007 05.08 614 setuperr.log
22/02/2007 21.23 674.802 setupapi.log
10/02/2007 18.32 1.380 regopt.log
10/02/2007 11.37 4.161 ODBCINST.INI
11/02/2007 19.27 32.228 ocgen.log
11/02/2007 19.27 48.634 FaxSetup.log
11/02/2007 19.27 88.907 iis6.log
11/02/2007 19.27 31.811 comsetup.log
11/02/2007 19.27 19.060 ntdtcsetup.log
11/02/2007 19.27 27.113 tsoc.log
11/02/2007 19.27 21.628 msmqinst.log
11/02/2007 19.27 2.725 msgsocm.log
11/02/2007 19.27 3.118 tabletoc.log
11/02/2007 19.27 4.037 MedCtrOC.log
11/02/2007 19.27 9.288 netfxocm.log
11/02/2007 19.27 3.201 ocmsn.log
10/02/2007 18.35 0 Sti_Trace.log
12/02/2007 16.01 50 wiaservc.log
12/02/2007 16.01 216 wiadebug.log
10/02/2007 11.33 200 cmsetacl.log
11/02/2007 19.28 17.641 wmsetup.log
10/02/2007 11.34 133 DtcInstall.log
10/02/2007 11.34 36 vb.ini
10/02/2007 11.34 37 vbaddin.ini
10/02/2007 11.35 1.022 sessmgr.setup.log
26/02/2007 18.16 1.437.647 WindowsUpdate.log
10/02/2007 11.43 829 OEWABLog.txt
11/02/2007 19.27 316.640 WMSysPr9.prx
10/02/2007 11.37 0 control.ini
10/02/2007 11.42 8.192 REGLOCS.OLD
25/02/2007 22.38 32.618 SchedLgU.Txt
26/02/2007 18.10 0 0.log
12/02/2007 15.40 700 win.ini
10/02/2007 11.51 1.404 COM+.log
10/02/2007 11.55 4.510 KB888111.log
10/02/2007 11.56 180 atcl01setup.log
10/02/2007 12.01 424 ODBC.INI
10/02/2007 18.32 231 system.ini
26/02/2007 19.00 7.000 ModemLog_Motorola SM56 Speakerphone Modem.txt
10/02/2007 12.14 249 KB822603.log
10/02/2007 13.02 21.265 Ascd_tmp.ini
10/02/2007 13.02 0 AS_Debug.txt
10/02/2007 13.27 11.979 EPSTPLOG.BAK
10/02/2007 13.27 8.624 EPSTPLOG.TXT
10/02/2007 20.03 6.078 DPINST.LOG
13/02/2007 21.26 69 NeroDigital.ini
10/02/2007 21.13 6.974 KB898461.log
11/02/2007 13.31 6.316 KB893803v2.log
11/02/2007 14.03 3.258 KB896423.log
11/02/2007 23.25 3.513 KB914389.log
11/02/2007 20.04 3.463 KB920683.log
11/02/2007 20.05 3.567 KB908519.log
11/02/2007 23.46 3.675 KB894391.log
12/02/2007 19.21 3.784 KB923694.log
12/02/2007 14.47 3.877 KB920213.log
11/02/2007 20.24 3.976 KB917422.log
11/02/2007 20.36 4.072 KB917953.log
11/02/2007 22.39 4.171 KB905414.log
11/02/2007 22.40 4.643 KB917344.log
11/02/2007 22.41 4.377 KB914388.log
11/02/2007 22.42 4.477 KB919007.log
11/02/2007 22.42 5.152 KB920872.log
11/02/2007 22.46 4.677 KB920670.log
11/02/2007 23.03 4.786 KB896358.log
11/02/2007 23.06 4.970 KB887472.log
11/02/2007 15.56 5.250 ModemLog_Philips Phones USB.txt
11/02/2007 19.27 16.012 WMFDist11.log
11/02/2007 19.27 987 updspapi.log
11/02/2007 19.27 7.348 Wudf01000Inst.log
11/02/2007 19.27 1.374 imsins.BAK
11/02/2007 19.27 12.851 wmp11.log
11/02/2007 19.27 304 wmsetup10.log
11/02/2007 19.27 1.374 imsins.log
12/02/2007 19.01 4.993 KB921398.log
11/02/2007 23.15 5.088 KB924496.log
11/02/2007 23.17 5.189 KB924270.log
11/02/2007 23.21 5.288 KB920685.log
11/02/2007 23.21 5.380 KB899591.log
11/02/2007 23.22 5.493 KB901017.log
11/02/2007 23.23 5.590 KB922616.log
12/02/2007 11.59 5.696 KB913580.log
12/02/2007 19.18 5.807 KB908531.log
12/02/2007 19.21 5.897 KB904706.log
12/02/2007 12.07 6.135 KB916595.log
12/02/2007 14.47 6.090 KB912919.log
12/02/2007 15.40 6.407 KB900725.log
12/02/2007 15.40 6.631 KB926255.log
12/02/2007 14.56 6.393 KB923191.log
12/02/2007 15.44 6.727 KB901214.log
12/02/2007 19.30 6.515 KB902400.log
12/02/2007 15.49 6.926 KB918439.log
12/02/2007 15.00 6.782 KB873339.log
12/02/2007 15.02 6.806 KB896424.log
12/02/2007 15.02 7.411 KB900485.log
12/02/2007 15.02 6.999 KB911562.log
12/02/2007 15.02 7.100 KB911280.log
12/02/2007 15.03 7.210 KB923980.log
12/02/2007 15.03 7.305 KB893756.log
12/02/2007 15.04 7.399 KB911927.log
12/02/2007 15.07 7.883 KB929969.log
12/02/2007 15.15 7.840 KB885835.log
12/02/2007 15.15 7.709 KB922819.log
12/02/2007 15.17 7.815 KB924191.log
12/02/2007 23.32 8.301 KB925454.log
12/02/2007 15.22 8.011 KB899587.log
12/02/2007 15.22 8.106 KB896428.log
12/02/2007 19.09 8.213 KB923414.log
12/02/2007 19.21 8.396 KB888302.log
12/02/2007 19.30 8.829 KB891781.log
12/02/2007 23.32 8.919 KB890859.log
12/02/2007 19.34 8.701 KB885836.log
12/02/2007 22.44 8.716 KB905749.log
19/02/2007 18.50 32.387 DirectX.log
18/02/2007 14.03 132.088 ntbtlog.txt


Directory di C:\WINDOWS\system32


10/02/2007 04.15 <DIR> DRIVERS
11/02/2007 19.27 <DIR> LogFiles
10/02/2007 21.13 <DIR> PreInstall
10/02/2007 20.03 <DIR> DRVSTORE
10/02/2007 14.35 <DIR> SoftwareDistribution
10/02/2007 11.59 <DIR> Lang
10/02/2007 11.56 <DIR> Attansic
10/02/2007 11.55 <DIR> RTCOM
10/02/2007 11.53 <DIR> ReinstallBackups
10/02/2007 11.49 <DIR> URTTemp
10/02/2007 11.33 <DIR> MsDtc
10/02/2007 11.33 <DIR> Com
10/02/2007 11.36 <DIR> DirectX
10/02/2007 11.38 <DIR> xircom
10/02/2007 05.01 <DIR> CatRoot2
10/02/2007 05.01 <DIR> CatRoot
10/02/2007 11.35 <DIR> Restore
18/02/2007 14.06 <DIR> appmgmt
10/02/2007 04.39 <DIR> 1040
10/02/2007 04.39 <DIR> 3com_dmi
10/02/2007 04.39 <DIR> IME
10/02/2007 04.39 <DIR> inetsrv
10/02/2007 04.39 <DIR> usmt
10/02/2007 04.39 <DIR> 3076
10/02/2007 04.39 <DIR> 2052
10/02/2007 04.39 <DIR> 1054
10/02/2007 04.39 <DIR> 1042
10/02/2007 04.39 <DIR> 1041
10/02/2007 04.39 <DIR> 1037
10/02/2007 04.39 <DIR> 1033
10/02/2007 04.39 <DIR> 1031
10/02/2007 04.39 <DIR> 1028
10/02/2007 04.39 <DIR> 1025
10/02/2007 04.39 <DIR> oobe
10/02/2007 04.39 <DIR> mui
10/02/2007 04.39 <DIR> icsxml
10/02/2007 04.39 <DIR> export
10/02/2007 04.39 <DIR> ias
10/02/2007 04.39 <DIR> npp
10/02/2007 04.39 <DIR> Setup
10/02/2007 04.39 <DIR> ShellExt
10/02/2007 04.39 <DIR> dhcp
10/02/2007 04.39 <DIR> wins
10/02/2007 04.39 <DIR> spool
10/02/2007 04.39 <DIR> ras
10/02/2007 04.39 <DIR> config
10/02/2007 04.15 <DIR> wbem
10/02/2007 04.16 <DIR> MACROMED
26/02/2007 18.10 2.206 wpa.dbl
10/02/2007 12.07 53.744 perfc009.dat
10/02/2007 12.07 383.390 perfh009.dat
10/02/2007 12.07 64.378 perfc010.dat
10/02/2007 12.07 428.660 perfh010.dat
10/02/2007 11.41 261 $winnt$.inf
10/02/2007 12.12 189.000 FNTCACHE.DAT
10/02/2007 11.37 2.885 CONFIG.NT
10/02/2007 12.07 939.894 PerfStringBackup.INI
10/02/2007 18.36 0 h323log.txt
10/02/2007 11.34 21.840 emptyregdb.dat
10/02/2007 11.59 940.794 LoopyMusic.wav
10/02/2007 11.59 146.650 BuzzingBee.wav
10/02/2007 13.22 1.344 bpk.bin
16/02/2007 11.32 96.471 web.dat
10/02/2007 14.37 1.071 bpk.dat
19/01/2007 12.53 51.056 sirenacm.dll
11/02/2007 19.27 3.051 spupdsvc.inf
11/02/2007 19.27 23.392 nscompat.tlb
11/02/2007 19.27 16.832 amcompat.tlb
20/02/2007 17.31 360.448 px.dll
20/02/2007 17.32 155.648 pxmas.dll
20/02/2007 17.34 339.968 pxwave.dll
20/02/2007 17.37 28.672 vxblock.dll
20/02/2007 17.31 397.312 pxdrv.dll
20/02/2007 17.37 1.093.632 pxsfs.dll
20/02/2007 17.34 57.344 pxhpinst.exe
20/02/2007 17.38 54.272 pxinsa64.exe
20/02/2007 17.38 104.960 pxinsi64.exe
20/02/2007 17.38 56.832 pxcpya64.exe
20/02/2007 17.39 108.544 pxcpyi64.exe


Directory di C:\Programmi\File comuni


10/02/2007 04.26 <DIR> ODBC
10/02/2007 04.15 <DIR> SYSTEM
10/02/2007 04.16 <DIR> SERVICES
10/02/2007 04.12 <DIR> Microsoft Shared
10/02/2007 18.32 <DIR> SpeechEngines
10/02/2007 11.35 <DIR> MSSoap
10/02/2007 11.47 <DIR> InstallShield
10/02/2007 12.00 <DIR> DESIGNER
10/02/2007 13.27 <DIR> EPSON
10/02/2007 19.50 <DIR> Ahead
14/02/2007 16.21 <DIR> Adobe


Directory di C:\WINDOWS\temp


20/02/2007 22.53 <DIR> Cronologia
22/02/2007 16.46 <DIR> bak



-------------HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows-------------

[Windows]
"AppInit_DLLs"=""

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"Shell"="Explorer.exe"
"System"=""
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"forceunlocklogon"=dword:00000000
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=expand:"logonui.exe"
"LogonType"=dword:00000001
"Background"="0 0 0"
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001

[Winlogon\GPExtensions]

[Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Senza fili"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"DllName"=expand:"fdeploy.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Quota disco Microsoft"
"DllName"=expand:"dskquota.dll"

[Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="Utilità di pianificazione pacchetti QoS"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Script"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Mapping aree Internet Explorer"
"DllName"=expand:"iedkcs32.dll"

[Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"

[Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"iedkcs32.dll"
@="Personalizzazione Internet Explorer"

[Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
@="EFS recovery"

[Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\System32\cscui.dll"

[Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Installazione software"
"DllName"=expand:"appmgmts.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="Protezione IP"
"DllName"=expand:"gptext.dll"

[Winlogon\Notify]

[Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[Winlogon\Notify\crypt32chain]
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[Winlogon\Notify\cryptnet]
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"StartShell"="WinlogonStartShellEvent"

[Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001

[Winlogon\Notify\Schedule]
"DllName"=expand:"wlnotify.dll"
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"DllName"=expand:"sclgntfy.dll"

[Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"

[Winlogon\Notify\termsrv]
"DllName"=expand:"wlnotify.dll"
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"

[Winlogon\SpecialAccounts]

[Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"ExcludeProfileDirs"="Impostazioni locali;Temporary Internet Files;Cronologia;Temp;Impostazioni locali\Dati applicazioni\Microsoft\Outlook"
"BuildNumber"=dword:00000a28

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"SMSERIAL"="sm56hlpr.exe"

[Run\OptionalComponents]

[Run\OptionalComponents\IMAIL]
"Installed"="1"

[Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[Run\OptionalComponents\MSFS]
"Installed"="1"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

[RunOnce]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

[RunOnceEx]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe\""

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects-------------

[Browser Helper Objects]

-------------HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks-------------

[URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
#### HKCR\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InprocServer32 @=expand:"%SystemRoot%\system32\shdocvw.dll"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-------------

[ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
#### HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InprocServer32 @="shell32.dll"

-------------HKLM\SYSTEM\ControlSet001\Control\Lsa-------------

[Lsa]
"Authentication Packages"=multi:"msv1_0\00\00"
"Bounds"=hex:00,30,00,00,00,20,00,00
"LsaPid"=dword:00000230
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=multi:"scecli\00\00"

[Lsa\AccessProviders]
"ProviderOrder"=multi:"Windows NT Access Provider\00\00"

[Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll"

[Lsa\Audit]

[Lsa\Audit\PerUserAuditing]

[Lsa\Audit\PerUserAuditing\System]

[Lsa\Data]
@Class="45dde5fd"
"Pattern"=hex:ac,af,71,da,7c,b2,65,1d,89,ed,71,e0,1c,ce,32,31,34,35,64,64,65,\
35,66,64,00,fd,07,00,13,7f,00,00,34,fa,07,00,56,82,47,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,87,6e,07,69,4b,8d,dd,69,df,05,dd,45

[Lsa\GBG]
@Class="878dec4b"
"GrafBlumGroup"=hex:53,f9,cd,7f,d1,f8,56,d0,bb

[Lsa\JD]
@Class="dfdd6969"
"Lookup"=hex:cc,19,d0,44,f5,e4

[Lsa\Kerberos]

[Lsa\Kerberos\Domains]

[Lsa\Kerberos\SidCache]

[Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[Lsa\Skew1]
@Class="076e0556"
"SkewMatrix"=hex:ac,55,d2,5a,ae,7e,bb,8f,b6,5e,c5,68,d8,96,05,77

[Lsa\SSO]

[Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[Lsa\SspiCache]
"Time"=hex:76,d7,06,bc,42,4d,c7,01

[Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"RpcId"=dword:0000ffff
"Time"=hex:00,7e,17,85,e9,85,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"RpcId"=dword:00000011
"Time"=hex:00,5f,0d,8b,e9,85,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"RpcId"=dword:00000012
"Time"=hex:00,5f,0d,8b,e9,85,c4,01
"Type"=dword:00000031

-------------HKLM\SYSTEM\ControlSet001\Services\SharedAccess-------------

[SharedAccess]
"Description"="Fornisce servizi di conversione indirizzi di rete, indirizzamento e risoluzione nomi e/o servizi di prevenzione intrusione per una rete domestica o una piccola rete aziendale."
"DisplayName"="Windows Firewall / Condivisione connessione Internet (ICS)"
"ImagePath"=expand:"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[SharedAccess\Epoch]
"Epoch"=dword:000002f1

[SharedAccess\Parameters]
"ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll"

[SharedAccess\Parameters\FirewallPolicy]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\MSN Messenger\msnmsgr.exe"="C:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Programmi\MSN Messenger\livecall.exe"="C:\Programmi\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Messenger\msmsgs.exe"="C:\Programmi\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\TEMP\NavBrowser.exe"="C:\WINDOWS\TEMP\NavBrowser.exe:*:Enabled:NAVBrowser"
"C:\Programmi\MSN Messenger\msnmsgr.exe"="C:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Programmi\MSN Messenger\livecall.exe"="C:\Programmi\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Programmi\iDC++\iDCPlusPlus.exe"="C:\Programmi\iDC++\iDCPlusPlus.exe:*:Enabled:iDC++"

[SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

-------------HKLM\Software\Microsoft\Ole-------------

[Ole]
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[Ole\AppCompat]

[Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

-------------HKEY_CLASSES_ROOT\exefile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\comfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\batfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\piffile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\scrFile\shell\open\command-------------

@="\"%1\" /S"

-------------HKEY_CLASSES_ROOT\htafile\shell\open\command-------------

@="C:\WINDOWS\system32\mshta.exe \"%1\" %*"

-------------HKEY_CLASSES_ROOT\logfile\shell\open\command-------------

-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler-------------

[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
#### HKCR\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InprocServer32 @=expand:"%SystemRoot%\system32\browseui.dll"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"
#### HKCR\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InprocServer32 @=expand:"%SystemRoot%\system32\browseui.dll"

-------------HKLM\Software\Microsoft\Active Setup\Installed Components-------------

[Installed Components]

[Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"Stubpath"="C:\WINDOWS\inf\unregmp2.exe /ShowWMP"
@="Microsoft Windows Media Player"
"ComponentID"="WMPACCESS"

[Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
@="Internet Explorer"
"ComponentID"="IEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE"

[Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
@="Personalizzazione del browser"
"ComponentID"="BRANDING.CAB"
"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"

[Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
@="Outlook Express"
"ComponentID"="OEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE"

[Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
@="Rendering grafica vettoriale (VML)"
"ComponentID"="MSVML"

[Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
#### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
@=""
"ComponentID"="NetShow"
"StubPath"=""

[Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"=""
@="Microsoft Windows Media Player 6.4"

[Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
#### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="C:\WINDOWS\system32\danim.dll"
@="DirectAnimation"
"ComponentID"="DirectAnimation"

[Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="Themes Setup"
"ComponentID"="Theme Component"
"StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll"

[Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
@="Binding dati Dynamic HTML per Java"
"ComponentID"="TridataJava"

[Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]
@="Modulo ricerca non in linea"
"ComponentID"="MobilePk"

[Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
@="Uniscribe"
"ComponentID"="USP10"

[Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]
@="Creazione avanzata"
"ComponentID"="AdvAuth"

[Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft Outlook Express 6"
"ComponentID"="MailNews"
"CloneUser"=dword:00000001
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"

[Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
@="NetMeeting 3.01"
"ComponentID"="NetMeeting"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT"

[Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
@="DirectShow"
"ComponentID"="activemovie"

[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
@="DirectDrawEx"
"ComponentID"="DirectDrawEx"

[Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
@="Guida di Internet Explorer"
"ComponentID"="HelpCont"

[Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
@="Classi Java DirectAnimation"
"ComponentID"="DAJava"

[Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
@="Microsoft Windows Script 5.6"
"ComponentID"="MSVBScript"

[Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
"KeyFileName"="C:\Programmi\Messenger\msmsgs.exe"
@="Windows Messenger 4.7"
"ComponentID"="Messenger"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser"

[Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
"(Default)"="Internet Connection Wizard"
"ComponentID"="ICW"

[Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
@="Strumenti di installazione di Internet Explorer"
"ComponentID"="GenSetup"

[Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
@="Miglioramenti sfoglia"
"ComponentID"="ExtraPack"
"KeyFileName"="C:\WINDOWS\system32\msieftp.dll"

[Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
#### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="C:\WINDOWS\system32\wmp.dll"
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub"

[Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
@="Accesso sito MSN"
"ComponentID"="MSN_Auth"

[Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
@="Web Folders"
"ComponentID"="WebFolders"
"StubPath"=""

[Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
@="Rubrica 6"
"ComponentID"="WAB"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
@="Windows Desktop Update"
"ComponentID"="IE4Shell_NT"
"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
@="Internet Explorer 6"
"ComponentID"="BASEIE40_W2K"
"StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix]

[Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"ComponentID"="DOTNETFRAMEWORKS"
"StubPath"="C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install"

[Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
@="Binding dati Dynamic HTML"
"ComponentID"="Tridata"

[Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}]

[Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]
@="Font principali di Internet Explorer"
"ComponentID"="Fontcore"

[Installed Components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}]
"ComponentID"=".NETFramework"
@=".NET Framework"

[Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
@="Utilità di pianificazione"
"ComponentID"="MSTASK"

[Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
"ComponentID"="Windows Movie Maker v2.1"

[Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@="Adobe Flash Player 9 ActiveX"
"ComponentID"="Flash"

[Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
@="Guida HTML"
"ComponentID"="HTMLHelp"

[Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]
@="Active Directory Service Interface"
"ComponentID"="ADSI"

-------------Comparing registry keys CCS1 vs CCS2 -------------
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\ACPI\Grou
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F00000000000000000000000000000001F9E145F900000000000000000000000000000001F9E1450100000000000000000000000000000001F9E1452B00000000000000000000000000000001F9E1452C00000000000000000000000000000001F9E1450600000000000000000000000000000001F9E145
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F0000000000000000000000000000006520E345F90000000000000000000000000000006520E345010000000000000000000000000000006520E3452B0000000000000000000000000000006520E3452C0000000000000000000000000000006520E345060000000000000000000000000000006520E345
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Spooler
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\lanmanserver\parameters Guid REG_BINARY 154D0B655CE4604BBC3167BC91D76051
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\lanmanserver\parameters Guid REG_BINARY 2C8F4FFC636C174B88D361206515F540
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\lanmanserver\Shares\\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\MEMSWEEP2
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 753 (0x2F1)
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\SharedAccess\Epoch Epoch REG_DWORD 745 (0x2E9)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3\DosDevices\COM3\DosDevices\COM3
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NTEContextList REG_MULTI_SZ \0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NTEContextList REG_MULTI_SZ 0x00000002\0\0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpIPAddress REG_SZ 0.0.0.0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpIPAddress REG_SZ 80.104.58.150
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpSubnetMask REG_SZ 0.0.0.0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpSubnetMask REG_SZ 255.255.255.255
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NameServer REG_SZ
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NameServer REG_SZ 62.211.69.150 212.48.4.15
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\

Result compared: Different


-------------Comparing registry keys CCS1 vs CCS3 -------------
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\ACPI\Grou
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F00000000000000000000000000000001F9E145F900000000000000000000000000000001F9E1450100000000000000000000000000000001F9E1452B00000000000000000000000000000001F9E1452C00000000000000000000000000000001F9E1450600000000000000000000000000000001F9E145
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F00000000000000000000000000000052B2E145F900000000000000000000000000000052B2E1450100000000000000000000000000000052B2E1452B00000000000000000000000000000052B2E1452C00000000000000000000000000000052B2E1450600000000000000000000000000000052B2E145
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Security
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Spooler
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\lanmanserver\Shares\\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\MEMSWEEP2
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 753 (0x2F1)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\SharedAccess\Epoch Epoch REG_DWORD 736 (0x2E0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\

Result compared: Different


-------------List of running services -------------



000) "ALG" - Servizio Gateway di livello applicazione
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\alg.exe

001) "Ati HotKey Poller" - Ati HotKey Poller
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\Ati2evxx.exe

002) "AudioSrv" - Audio Windows
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

003) "CryptSvc" - Servizi di crittografia
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

004) "DcomLaunch" - Utilità di avvio processo server DCOM
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost -k DcomLaunch

005) "Dhcp" - Client DHCP
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

006) "dmserver" - Gestione dischi logici
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

007) "Dnscache" - Client DNS
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k NetworkService

008) "EPSONStatusAgent2" - EPSON Printer Status Agent2
---> STAT = (RUNNING) Started automatically
---> FILE = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe

009) "ERSvc" - Servizio di segnalazione errori
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

010) "Eventlog" - Registro eventi
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\services.exe

011) "EventSystem" - Sistema di eventi COM+
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

012) "FastUserSwitchingCompatibility" - Compatibilità di Cambio rapido utente
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

013) "helpsvc" - Guida in linea e supporto tecnico
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

014) "lanmanserver" - Server
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

015) "lanmanworkstation" - Workstation
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

016) "LmHosts" - Helper NetBIOS di TCP/IP
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

017) "Netman" - Connessioni di rete
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

018) "Nla" - NLA (Network Location Awareness)
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

019) "PlugPlay" - Plug and Play
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\services.exe

020) "PolicyAgent" - Servizi IPSEC
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\lsass.exe

021) "ProtectedStorage" - Archiviazione protetta
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\lsass.exe

022) "RasMan" - Connection Manager di Accesso remoto
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

023) "RemoteRegistry" - Registro di sistema remoto
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

024) "RpcSs" - RPC (Remote Procedure Call)
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost -k rpcss

025) "SamSs" - Gestione account di protezione (SAM)
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\lsass.exe

026) "Schedule" - Utilità di pianificazione
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

027) "seclogon" - Accesso secondario
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

028) "SENS" - Notifica eventi di sistema
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

029) "SharedAccess" - Windows Firewall / Condivisione connessione Internet (ICS)
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

030) "ShellHWDetection" - Rilevamento hardware shell
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

031) "Spooler" - Spooler di stampa
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\spoolsv.exe

032) "SSDPSRV" - Servizio di rilevamento SSDP
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

033) "TapiSrv" - Telefonia
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

034) "TermService" - Servizi terminal
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost -k DComLaunch

035) "Themes" - Temi
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

036) "TrkWks" - Manutenzione collegamenti distribuiti client
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

037) "W32Time" - Ora di Windows
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

038) "WebClient" - WebClient
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

039) "winmgmt" - Strumentazione gestione Windows
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

040) "wscsvc" - Centro sicurezza PC
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

041) "wuauserv" - Aggiornamenti automatici
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

042) "WZCSVC" - Zero Configuration reti senza fili
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs



..:: BOOT REGISTRY ::..

0) "SMSERIAL"
---> CMD = sm56hlpr.exe
---> FILE = C:\WINDOWS\System32\sm56hlpr.exe



-------------List of NOT running services -------------



000) "Alerter" - Avvisi
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

001) "AppMgmt" - Gestione applicazione
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

002) "aspnet_state" - ASP.NET State Service
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

003) "ATI Smart" - ATI Smart
---> STAT = (NOT RUNNING) Started automatically
---> FILE = C:\WINDOWS\SYSTEM32\ati2sgag.exe

004) "BITS" - Servizio trasferimento intelligente in background
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

005) "Browser" - Browser di computer
---> STAT = (NOT RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

006) "CiSvc" - Servizio di indicizzazione
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\cisvc.exe

007) "ClipSrv" - ClipBook
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\clipsrv.exe

008) "COMSysApp" - Applicazione di sistema COM+
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

009) "dmadmin" - Servizio amministrativo di Gestione disco logico
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\dmadmin.exe /com

010) "HidServ" - Accesso periferica Human Interface
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

011) "HTTPFilter" - SSL HTTP
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k HTTPFilter

012) "ImapiService" - Servizio COM di masterizzazione CD IMAPI
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\imapi.exe

013) "Messenger" - Messenger
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

014) "mnmsrvc" - Condivisione desktop remoto di NetMeeting
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\mnmsrvc.exe

015) "MSDTC" - Distributed Transaction Coordinator
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\msdtc.exe

016) "MSIServer" - Windows Installer
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\msiexec.exe /V

017) "NetDDE" - DDE di rete
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\netdde.exe

018) "NetDDEdsdm" - DDE DSDM di rete
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\netdde.exe

019) "Netlogon" - Accesso rete
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\lsass.exe

020) "NtLmSsp" - Provider supporto protezione LM NT
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\lsass.exe

021) "NtmsSvc" - Archivi rimovibili
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

022) "ose" - Office Source Engine
---> STAT = (NOT RUNNING) Started manually
---> FILE = "C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE"

023) "RasAuto" - Auto Connection Manager di Accesso remoto
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

024) "RDSessMgr" - Gestione sessione di assistenza mediante desktop remoto
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\sessmgr.exe

025) "RemoteAccess" - Routing e Accesso remoto
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

026) "RpcLocator" - RPC Locator
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\locator.exe

027) "RSVP" - QoS RSVP
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\rsvp.exe

028) "SCardSvr" - smart card
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\SCardSvr.exe

029) "srservice" - Servizio Ripristino configurazione di sistema
---> STAT = (NOT RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

030) "stisvc" - Acquisizione di immagini di Windows (WIA)
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k imgsvc

031) "SwPrv" - MS Software Shadow Copy Provider
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\dllhost.exe /Processid:{E2076F12-9B30-4BB0-815D-F0EF020DD009}

032) "SysmonLog" - Avvisi e registri di prestazioni
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\smlogsvc.exe

033) "TlntSvr" - Telnet
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\tlntsvr.exe

034) "upnphost" - Host di periferiche Plug and Play universali
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

035) "UPS" - Gruppo di continuità
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\ups.exe

036) "usnjsvc" - Servizio Messenger Sharing Folders USN Journal Reader
---> STAT = (NOT RUNNING) Started manually
---> FILE = "C:\Programmi\MSN Messenger\usnsvc.exe"

037) "VSS" - Copia replicata del volume
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\vssvc.exe

038) "WmdmPmSN" - Servizio Numero di serie per dispositivi multimediali portatili
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

039) "Wmi" - Estensioni driver di Strumentazione gestione Windows
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

040) "WmiApSrv" - Scheda WMI Performance
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\wbem\wmiapsrv.exe

041) "xmlprov" - Servizio Provisioning di rete
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs



-------------List of running device driver services -------------



000) "ACPI" - Driver ACPI Microsoft
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\ACPI.sys

001) "AFD" - AFD
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = \SystemRoot\System32\drivers\afd.sys

002) "AmdK8" - Driver del processore AMD
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\AmdK8.sys

003) "AsyncMac" - Driver per supporti asincroni RAS
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\asyncmac.sys

004) "atapi" - Controller disco rigido IDE/ESDI standard
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\atapi.sys

005) "ati2mtag" - ati2mtag
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\ati2mtag.sys

006) "audstub" - Driver stub audio
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\audstub.sys

007) "Beep" - Beep
---> STAT = (RUNNING) Started by "IoInitSystem" function

008) "Cdfs" - Cdfs
---> STAT = (RUNNING) Disabled

009) "Cdrom" - Driver del CD-ROM
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\cdrom.sys

010) "Disk" - Driver del disco
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\disk.sys

011) "dmio" - Driver Gestione dischi logici
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\System32\drivers\dmio.sys

012) "dmload" - dmload
---> STAT = (RUNNING)

[zena]

ok...eccolo:

systemscan - http://www.suspectfile.com - ver. 2.0.23

Date: 26/02/2007
Time: 19.04.32,04

Output limited to:
-Recent files
-Registry Run Keys
-Running Services
-Not Running Services
-Device Driver Services
-Svchost.exe instances
-Loaded Dlls
-Alternate Data Sreams
-Encrypted Files
-Hidden objects
-Suspicious Files

-------------Users folders -------------

Directory di C:\documents and settings

10/02/2007 18.31 <DIR> Default User
10/02/2007 18.31 <DIR> All Users
10/02/2007 11.42 <DIR> NetworkService
10/02/2007 11.42 <DIR> LocalService
10/02/2007 11.43 <DIR> Fedo
18/02/2007 14.03 <DIR> Administrator

-------------Recent files (60 days) -------------
NOTE: searched only in C:, C:\WINDOWS, C:\WINDOWS\system32, C:\Programmi\File comuni, C:\WINDOWS\temp



Directory di C:\


10/02/2007 04.17 <DIR> _RESTORE
10/02/2007 04.12 <DIR> WINDOWS
13/02/2007 14.26 <DIR> Giochi
10/02/2007 17.02 <DIR> Cazzate
10/02/2007 05.00 <DIR> Documents and Settings
10/02/2007 04.31 <DIR> $WIN_NT$.~BT
10/02/2007 04.32 <DIR> $WIN_NT$.~LS
10/02/2007 11.36 <DIR> Programmi
10/02/2007 04.39 <DIR> user~tmp.@01
26/02/2007 19.04 <DIR> suspectfile
10/02/2007 04.38 <DIR> undo
10/02/2007 04.28 0 CONFIG.BAK
10/02/2007 04.23 529 SCANDISK.LOG
10/02/2007 19.51 80 FilterLog.log
11/02/2007 15.40 0 DBS.TXT
10/02/2007 04.28 0 CONFIG.SYS


Directory di C:\WINDOWS


10/02/2007 04.12 <DIR> SYSTEM
10/02/2007 04.13 <DIR> COMMAND
10/02/2007 04.13 <DIR> OPTIONS
10/02/2007 04.15 <DIR> UPGINFS
10/02/2007 04.15 <DIR> HELP
10/02/2007 04.15 <DIR> SYSTEM32
10/02/2007 04.15 <DIR> MSAGENT
10/02/2007 04.15 <DIR> CURSORS
10/02/2007 04.15 <DIR> JAVA
10/02/2007 04.15 <DIR> UPGDLLS
10/02/2007 11.36 <DIR> WEB
10/02/2007 04.15 <DIR> DRWATSON
10/02/2007 04.15 <DIR> MEDIA
10/02/2007 04.15 <DIR> PCHEALTH
10/02/2007 04.16 <DIR> TWAIN_32
10/02/2007 04.16 <DIR> CONFIG
10/02/2007 04.16 <DIR> SAMPLES
10/02/2007 04.17 <DIR> TEMP
10/02/2007 04.32 <DIR> MDMUPGLG
10/02/2007 04.26 <DIR> Offline Web Pages
10/02/2007 04.28 <DIR> All Users
10/02/2007 04.30 <DIR> setup
10/02/2007 04.39 <DIR> repair
10/02/2007 04.39 <DIR> addins
10/02/2007 04.39 <DIR> Connection Wizard
10/02/2007 04.39 <DIR> Driver Cache
10/02/2007 04.39 <DIR> security
10/02/2007 04.39 <DIR> msapps
10/02/2007 04.39 <DIR> AppPatch
10/02/2007 04.39 <DIR> Debug
10/02/2007 04.39 <DIR> Resources
10/02/2007 04.39 <DIR> Provisioning
10/02/2007 04.39 <DIR> mui
10/02/2007 04.39 <DIR> WinSxS
10/02/2007 04.39 <DIR> ime
10/02/2007 04.39 <DIR> PeerNet
10/02/2007 04.39 <DIR> ehome
10/02/2007 12.05 <DIR> Motorola
10/02/2007 11.49 <DIR> Microsoft.NET
10/02/2007 11.42 <DIR> SoftwareDistribution
10/02/2007 11.42 <DIR> Prefetch
10/02/2007 11.35 <DIR> srchasst
10/02/2007 11.34 <DIR> Registration
10/02/2007 11.42 811.101 setuplog.txt
10/02/2007 11.41 156.164 setupact.log
10/02/2007 05.08 614 setuperr.log
22/02/2007 21.23 674.802 setupapi.log
10/02/2007 18.32 1.380 regopt.log
10/02/2007 11.37 4.161 ODBCINST.INI
11/02/2007 19.27 32.228 ocgen.log
11/02/2007 19.27 48.634 FaxSetup.log
11/02/2007 19.27 88.907 iis6.log
11/02/2007 19.27 31.811 comsetup.log
11/02/2007 19.27 19.060 ntdtcsetup.log
11/02/2007 19.27 27.113 tsoc.log
11/02/2007 19.27 21.628 msmqinst.log
11/02/2007 19.27 2.725 msgsocm.log
11/02/2007 19.27 3.118 tabletoc.log
11/02/2007 19.27 4.037 MedCtrOC.log
11/02/2007 19.27 9.288 netfxocm.log
11/02/2007 19.27 3.201 ocmsn.log
10/02/2007 18.35 0 Sti_Trace.log
12/02/2007 16.01 50 wiaservc.log
12/02/2007 16.01 216 wiadebug.log
10/02/2007 11.33 200 cmsetacl.log
11/02/2007 19.28 17.641 wmsetup.log
10/02/2007 11.34 133 DtcInstall.log
10/02/2007 11.34 36 vb.ini
10/02/2007 11.34 37 vbaddin.ini
10/02/2007 11.35 1.022 sessmgr.setup.log
26/02/2007 18.16 1.437.647 WindowsUpdate.log
10/02/2007 11.43 829 OEWABLog.txt
11/02/2007 19.27 316.640 WMSysPr9.prx
10/02/2007 11.37 0 control.ini
10/02/2007 11.42 8.192 REGLOCS.OLD
25/02/2007 22.38 32.618 SchedLgU.Txt
26/02/2007 18.10 0 0.log
12/02/2007 15.40 700 win.ini
10/02/2007 11.51 1.404 COM+.log
10/02/2007 11.55 4.510 KB888111.log
10/02/2007 11.56 180 atcl01setup.log
10/02/2007 12.01 424 ODBC.INI
10/02/2007 18.32 231 system.ini
26/02/2007 19.00 7.000 ModemLog_Motorola SM56 Speakerphone Modem.txt
10/02/2007 12.14 249 KB822603.log
10/02/2007 13.02 21.265 Ascd_tmp.ini
10/02/2007 13.02 0 AS_Debug.txt
10/02/2007 13.27 11.979 EPSTPLOG.BAK
10/02/2007 13.27 8.624 EPSTPLOG.TXT
10/02/2007 20.03 6.078 DPINST.LOG
13/02/2007 21.26 69 NeroDigital.ini
10/02/2007 21.13 6.974 KB898461.log
11/02/2007 13.31 6.316 KB893803v2.log
11/02/2007 14.03 3.258 KB896423.log
11/02/2007 23.25 3.513 KB914389.log
11/02/2007 20.04 3.463 KB920683.log
11/02/2007 20.05 3.567 KB908519.log
11/02/2007 23.46 3.675 KB894391.log
12/02/2007 19.21 3.784 KB923694.log
12/02/2007 14.47 3.877 KB920213.log
11/02/2007 20.24 3.976 KB917422.log
11/02/2007 20.36 4.072 KB917953.log
11/02/2007 22.39 4.171 KB905414.log
11/02/2007 22.40 4.643 KB917344.log
11/02/2007 22.41 4.377 KB914388.log
11/02/2007 22.42 4.477 KB919007.log
11/02/2007 22.42 5.152 KB920872.log
11/02/2007 22.46 4.677 KB920670.log
11/02/2007 23.03 4.786 KB896358.log
11/02/2007 23.06 4.970 KB887472.log
11/02/2007 15.56 5.250 ModemLog_Philips Phones USB.txt
11/02/2007 19.27 16.012 WMFDist11.log
11/02/2007 19.27 987 updspapi.log
11/02/2007 19.27 7.348 Wudf01000Inst.log
11/02/2007 19.27 1.374 imsins.BAK
11/02/2007 19.27 12.851 wmp11.log
11/02/2007 19.27 304 wmsetup10.log
11/02/2007 19.27 1.374 imsins.log
12/02/2007 19.01 4.993 KB921398.log
11/02/2007 23.15 5.088 KB924496.log
11/02/2007 23.17 5.189 KB924270.log
11/02/2007 23.21 5.288 KB920685.log
11/02/2007 23.21 5.380 KB899591.log
11/02/2007 23.22 5.493 KB901017.log
11/02/2007 23.23 5.590 KB922616.log
12/02/2007 11.59 5.696 KB913580.log
12/02/2007 19.18 5.807 KB908531.log
12/02/2007 19.21 5.897 KB904706.log
12/02/2007 12.07 6.135 KB916595.log
12/02/2007 14.47 6.090 KB912919.log
12/02/2007 15.40 6.407 KB900725.log
12/02/2007 15.40 6.631 KB926255.log
12/02/2007 14.56 6.393 KB923191.log
12/02/2007 15.44 6.727 KB901214.log
12/02/2007 19.30 6.515 KB902400.log
12/02/2007 15.49 6.926 KB918439.log
12/02/2007 15.00 6.782 KB873339.log
12/02/2007 15.02 6.806 KB896424.log
12/02/2007 15.02 7.411 KB900485.log
12/02/2007 15.02 6.999 KB911562.log
12/02/2007 15.02 7.100 KB911280.log
12/02/2007 15.03 7.210 KB923980.log
12/02/2007 15.03 7.305 KB893756.log
12/02/2007 15.04 7.399 KB911927.log
12/02/2007 15.07 7.883 KB929969.log
12/02/2007 15.15 7.840 KB885835.log
12/02/2007 15.15 7.709 KB922819.log
12/02/2007 15.17 7.815 KB924191.log
12/02/2007 23.32 8.301 KB925454.log
12/02/2007 15.22 8.011 KB899587.log
12/02/2007 15.22 8.106 KB896428.log
12/02/2007 19.09 8.213 KB923414.log
12/02/2007 19.21 8.396 KB888302.log
12/02/2007 19.30 8.829 KB891781.log
12/02/2007 23.32 8.919 KB890859.log
12/02/2007 19.34 8.701 KB885836.log
12/02/2007 22.44 8.716 KB905749.log
19/02/2007 18.50 32.387 DirectX.log
18/02/2007 14.03 132.088 ntbtlog.txt


Directory di C:\WINDOWS\system32


10/02/2007 04.15 <DIR> DRIVERS
11/02/2007 19.27 <DIR> LogFiles
10/02/2007 21.13 <DIR> PreInstall
10/02/2007 20.03 <DIR> DRVSTORE
10/02/2007 14.35 <DIR> SoftwareDistribution
10/02/2007 11.59 <DIR> Lang
10/02/2007 11.56 <DIR> Attansic
10/02/2007 11.55 <DIR> RTCOM
10/02/2007 11.53 <DIR> ReinstallBackups
10/02/2007 11.49 <DIR> URTTemp
10/02/2007 11.33 <DIR> MsDtc
10/02/2007 11.33 <DIR> Com
10/02/2007 11.36 <DIR> DirectX
10/02/2007 11.38 <DIR> xircom
10/02/2007 05.01 <DIR> CatRoot2
10/02/2007 05.01 <DIR> CatRoot
10/02/2007 11.35 <DIR> Restore
18/02/2007 14.06 <DIR> appmgmt
10/02/2007 04.39 <DIR> 1040
10/02/2007 04.39 <DIR> 3com_dmi
10/02/2007 04.39 <DIR> IME
10/02/2007 04.39 <DIR> inetsrv
10/02/2007 04.39 <DIR> usmt
10/02/2007 04.39 <DIR> 3076
10/02/2007 04.39 <DIR> 2052
10/02/2007 04.39 <DIR> 1054
10/02/2007 04.39 <DIR> 1042
10/02/2007 04.39 <DIR> 1041
10/02/2007 04.39 <DIR> 1037
10/02/2007 04.39 <DIR> 1033
10/02/2007 04.39 <DIR> 1031
10/02/2007 04.39 <DIR> 1028
10/02/2007 04.39 <DIR> 1025
10/02/2007 04.39 <DIR> oobe
10/02/2007 04.39 <DIR> mui
10/02/2007 04.39 <DIR> icsxml
10/02/2007 04.39 <DIR> export
10/02/2007 04.39 <DIR> ias
10/02/2007 04.39 <DIR> npp
10/02/2007 04.39 <DIR> Setup
10/02/2007 04.39 <DIR> ShellExt
10/02/2007 04.39 <DIR> dhcp
10/02/2007 04.39 <DIR> wins
10/02/2007 04.39 <DIR> spool
10/02/2007 04.39 <DIR> ras
10/02/2007 04.39 <DIR> config
10/02/2007 04.15 <DIR> wbem
10/02/2007 04.16 <DIR> MACROMED
26/02/2007 18.10 2.206 wpa.dbl
10/02/2007 12.07 53.744 perfc009.dat
10/02/2007 12.07 383.390 perfh009.dat
10/02/2007 12.07 64.378 perfc010.dat
10/02/2007 12.07 428.660 perfh010.dat
10/02/2007 11.41 261 $winnt$.inf
10/02/2007 12.12 189.000 FNTCACHE.DAT
10/02/2007 11.37 2.885 CONFIG.NT
10/02/2007 12.07 939.894 PerfStringBackup.INI
10/02/2007 18.36 0 h323log.txt
10/02/2007 11.34 21.840 emptyregdb.dat
10/02/2007 11.59 940.794 LoopyMusic.wav
10/02/2007 11.59 146.650 BuzzingBee.wav
10/02/2007 13.22 1.344 bpk.bin
16/02/2007 11.32 96.471 web.dat
10/02/2007 14.37 1.071 bpk.dat
19/01/2007 12.53 51.056 sirenacm.dll
11/02/2007 19.27 3.051 spupdsvc.inf
11/02/2007 19.27 23.392 nscompat.tlb
11/02/2007 19.27 16.832 amcompat.tlb
20/02/2007 17.31 360.448 px.dll
20/02/2007 17.32 155.648 pxmas.dll
20/02/2007 17.34 339.968 pxwave.dll
20/02/2007 17.37 28.672 vxblock.dll
20/02/2007 17.31 397.312 pxdrv.dll
20/02/2007 17.37 1.093.632 pxsfs.dll
20/02/2007 17.34 57.344 pxhpinst.exe
20/02/2007 17.38 54.272 pxinsa64.exe
20/02/2007 17.38 104.960 pxinsi64.exe
20/02/2007 17.38 56.832 pxcpya64.exe
20/02/2007 17.39 108.544 pxcpyi64.exe


Directory di C:\Programmi\File comuni


10/02/2007 04.26 <DIR> ODBC
10/02/2007 04.15 <DIR> SYSTEM
10/02/2007 04.16 <DIR> SERVICES
10/02/2007 04.12 <DIR> Microsoft Shared
10/02/2007 18.32 <DIR> SpeechEngines
10/02/2007 11.35 <DIR> MSSoap
10/02/2007 11.47 <DIR> InstallShield
10/02/2007 12.00 <DIR> DESIGNER
10/02/2007 13.27 <DIR> EPSON
10/02/2007 19.50 <DIR> Ahead
14/02/2007 16.21 <DIR> Adobe


Directory di C:\WINDOWS\temp


20/02/2007 22.53 <DIR> Cronologia
22/02/2007 16.46 <DIR> bak



-------------HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows-------------

[Windows]
"AppInit_DLLs"=""

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"Shell"="Explorer.exe"
"System"=""
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"forceunlocklogon"=dword:00000000
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=expand:"logonui.exe"
"LogonType"=dword:00000001
"Background"="0 0 0"
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001

[Winlogon\GPExtensions]

[Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Senza fili"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"DllName"=expand:"fdeploy.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Quota disco Microsoft"
"DllName"=expand:"dskquota.dll"

[Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="Utilità di pianificazione pacchetti QoS"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Script"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Mapping aree Internet Explorer"
"DllName"=expand:"iedkcs32.dll"

[Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"

[Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"iedkcs32.dll"
@="Personalizzazione Internet Explorer"

[Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
@="EFS recovery"

[Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\System32\cscui.dll"

[Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Installazione software"
"DllName"=expand:"appmgmts.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="Protezione IP"
"DllName"=expand:"gptext.dll"

[Winlogon\Notify]

[Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[Winlogon\Notify\crypt32chain]
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[Winlogon\Notify\cryptnet]
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"StartShell"="WinlogonStartShellEvent"

[Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001

[Winlogon\Notify\Schedule]
"DllName"=expand:"wlnotify.dll"
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"DllName"=expand:"sclgntfy.dll"

[Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"

[Winlogon\Notify\termsrv]
"DllName"=expand:"wlnotify.dll"
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"

[Winlogon\SpecialAccounts]

[Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"ExcludeProfileDirs"="Impostazioni locali;Temporary Internet Files;Cronologia;Temp;Impostazioni locali\Dati applicazioni\Microsoft\Outlook"
"BuildNumber"=dword:00000a28

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"SMSERIAL"="sm56hlpr.exe"

[Run\OptionalComponents]

[Run\OptionalComponents\IMAIL]
"Installed"="1"

[Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[Run\OptionalComponents\MSFS]
"Installed"="1"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

[RunOnce]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

[RunOnceEx]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe\""

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects-------------

[Browser Helper Objects]

-------------HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks-------------

[URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
#### HKCR\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InprocServer32 @=expand:"%SystemRoot%\system32\shdocvw.dll"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-------------

[ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
#### HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InprocServer32 @="shell32.dll"

-------------HKLM\SYSTEM\ControlSet001\Control\Lsa-------------

[Lsa]
"Authentication Packages"=multi:"msv1_0\00\00"
"Bounds"=hex:00,30,00,00,00,20,00,00
"LsaPid"=dword:00000230
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=multi:"scecli\00\00"

[Lsa\AccessProviders]
"ProviderOrder"=multi:"Windows NT Access Provider\00\00"

[Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll"

[Lsa\Audit]

[Lsa\Audit\PerUserAuditing]

[Lsa\Audit\PerUserAuditing\System]

[Lsa\Data]
@Class="45dde5fd"
"Pattern"=hex:ac,af,71,da,7c,b2,65,1d,89,ed,71,e0,1c,ce,32,31,34,35,64,64,65,\
35,66,64,00,fd,07,00,13,7f,00,00,34,fa,07,00,56,82,47,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,87,6e,07,69,4b,8d,dd,69,df,05,dd,45

[Lsa\GBG]
@Class="878dec4b"
"GrafBlumGroup"=hex:53,f9,cd,7f,d1,f8,56,d0,bb

[Lsa\JD]
@Class="dfdd6969"
"Lookup"=hex:cc,19,d0,44,f5,e4

[Lsa\Kerberos]

[Lsa\Kerberos\Domains]

[Lsa\Kerberos\SidCache]

[Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[Lsa\Skew1]
@Class="076e0556"
"SkewMatrix"=hex:ac,55,d2,5a,ae,7e,bb,8f,b6,5e,c5,68,d8,96,05,77

[Lsa\SSO]

[Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[Lsa\SspiCache]
"Time"=hex:76,d7,06,bc,42,4d,c7,01

[Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"RpcId"=dword:0000ffff
"Time"=hex:00,7e,17,85,e9,85,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"RpcId"=dword:00000011
"Time"=hex:00,5f,0d,8b,e9,85,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"RpcId"=dword:00000012
"Time"=hex:00,5f,0d,8b,e9,85,c4,01
"Type"=dword:00000031

-------------HKLM\SYSTEM\ControlSet001\Services\SharedAccess-------------

[SharedAccess]
"Description"="Fornisce servizi di conversione indirizzi di rete, indirizzamento e risoluzione nomi e/o servizi di prevenzione intrusione per una rete domestica o una piccola rete aziendale."
"DisplayName"="Windows Firewall / Condivisione connessione Internet (ICS)"
"ImagePath"=expand:"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[SharedAccess\Epoch]
"Epoch"=dword:000002f1

[SharedAccess\Parameters]
"ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll"

[SharedAccess\Parameters\FirewallPolicy]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\MSN Messenger\msnmsgr.exe"="C:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Programmi\MSN Messenger\livecall.exe"="C:\Programmi\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Messenger\msmsgs.exe"="C:\Programmi\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\TEMP\NavBrowser.exe"="C:\WINDOWS\TEMP\NavBrowser.exe:*:Enabled:NAVBrowser"
"C:\Programmi\MSN Messenger\msnmsgr.exe"="C:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Programmi\MSN Messenger\livecall.exe"="C:\Programmi\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Programmi\iDC++\iDCPlusPlus.exe"="C:\Programmi\iDC++\iDCPlusPlus.exe:*:Enabled:iDC++"

[SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

-------------HKLM\Software\Microsoft\Ole-------------

[Ole]
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[Ole\AppCompat]

[Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

-------------HKEY_CLASSES_ROOT\exefile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\comfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\batfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\piffile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\scrFile\shell\open\command-------------

@="\"%1\" /S"

-------------HKEY_CLASSES_ROOT\htafile\shell\open\command-------------

@="C:\WINDOWS\system32\mshta.exe \"%1\" %*"

-------------HKEY_CLASSES_ROOT\logfile\shell\open\command-------------

-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler-------------

[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
#### HKCR\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InprocServer32 @=expand:"%SystemRoot%\system32\browseui.dll"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"
#### HKCR\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InprocServer32 @=expand:"%SystemRoot%\system32\browseui.dll"

-------------HKLM\Software\Microsoft\Active Setup\Installed Components-------------

[Installed Components]

[Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"Stubpath"="C:\WINDOWS\inf\unregmp2.exe /ShowWMP"
@="Microsoft Windows Media Player"
"ComponentID"="WMPACCESS"

[Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
@="Internet Explorer"
"ComponentID"="IEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE"

[Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
@="Personalizzazione del browser"
"ComponentID"="BRANDING.CAB"
"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"

[Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
@="Outlook Express"
"ComponentID"="OEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE"

[Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
@="Rendering grafica vettoriale (VML)"
"ComponentID"="MSVML"

[Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
#### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
@=""
"ComponentID"="NetShow"
"StubPath"=""

[Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"=""
@="Microsoft Windows Media Player 6.4"

[Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
#### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="C:\WINDOWS\system32\danim.dll"
@="DirectAnimation"
"ComponentID"="DirectAnimation"

[Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="Themes Setup"
"ComponentID"="Theme Component"
"StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll"

[Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
@="Binding dati Dynamic HTML per Java"
"ComponentID"="TridataJava"

[Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]
@="Modulo ricerca non in linea"
"ComponentID"="MobilePk"

[Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
@="Uniscribe"
"ComponentID"="USP10"

[Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]
@="Creazione avanzata"
"ComponentID"="AdvAuth"

[Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft Outlook Express 6"
"ComponentID"="MailNews"
"CloneUser"=dword:00000001
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"

[Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
@="NetMeeting 3.01"
"ComponentID"="NetMeeting"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT"

[Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
@="DirectShow"
"ComponentID"="activemovie"

[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
@="DirectDrawEx"
"ComponentID"="DirectDrawEx"

[Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
@="Guida di Internet Explorer"
"ComponentID"="HelpCont"

[Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
@="Classi Java DirectAnimation"
"ComponentID"="DAJava"

[Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
@="Microsoft Windows Script 5.6"
"ComponentID"="MSVBScript"

[Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
"KeyFileName"="C:\Programmi\Messenger\msmsgs.exe"
@="Windows Messenger 4.7"
"ComponentID"="Messenger"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser"

[Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
"(Default)"="Internet Connection Wizard"
"ComponentID"="ICW"

[Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
@="Strumenti di installazione di Internet Explorer"
"ComponentID"="GenSetup"

[Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
@="Miglioramenti sfoglia"
"ComponentID"="ExtraPack"
"KeyFileName"="C:\WINDOWS\system32\msieftp.dll"

[Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
#### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="C:\WINDOWS\system32\wmp.dll"
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub"

[Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
@="Accesso sito MSN"
"ComponentID"="MSN_Auth"

[Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
@="Web Folders"
"ComponentID"="WebFolders"
"StubPath"=""

[Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
@="Rubrica 6"
"ComponentID"="WAB"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
@="Windows Desktop Update"
"ComponentID"="IE4Shell_NT"
"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
@="Internet Explorer 6"
"ComponentID"="BASEIE40_W2K"
"StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix]

[Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"ComponentID"="DOTNETFRAMEWORKS"
"StubPath"="C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install"

[Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
@="Binding dati Dynamic HTML"
"ComponentID"="Tridata"

[Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}]

[Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]
@="Font principali di Internet Explorer"
"ComponentID"="Fontcore"

[Installed Components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}]
"ComponentID"=".NETFramework"
@=".NET Framework"

[Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
@="Utilità di pianificazione"
"ComponentID"="MSTASK"

[Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
"ComponentID"="Windows Movie Maker v2.1"

[Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@="Adobe Flash Player 9 ActiveX"
"ComponentID"="Flash"

[Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
@="Guida HTML"
"ComponentID"="HTMLHelp"

[Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]
@="Active Directory Service Interface"
"ComponentID"="ADSI"

-------------Comparing registry keys CCS1 vs CCS2 -------------
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\ACPI\Grou
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F00000000000000000000000000000001F9E145F900000000000000000000000000000001F9E1450100000000000000000000000000000001F9E1452B00000000000000000000000000000001F9E1452C00000000000000000000000000000001F9E1450600000000000000000000000000000001F9E145
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F0000000000000000000000000000006520E345F90000000000000000000000000000006520E345010000000000000000000000000000006520E3452B0000000000000000000000000000006520E3452C0000000000000000000000000000006520E345060000000000000000000000000000006520E345
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Spooler
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\lanmanserver\parameters Guid REG_BINARY 154D0B655CE4604BBC3167BC91D76051
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\lanmanserver\parameters Guid REG_BINARY 2C8F4FFC636C174B88D361206515F540
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\lanmanserver\Shares\\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\MEMSWEEP2
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 753 (0x2F1)
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\SharedAccess\Epoch Epoch REG_DWORD 745 (0x2E9)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3\DosDevices\COM3\DosDevices\COM3
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NTEContextList REG_MULTI_SZ \0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NTEContextList REG_MULTI_SZ 0x00000002\0\0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpIPAddress REG_SZ 0.0.0.0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpIPAddress REG_SZ 80.104.58.150
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpSubnetMask REG_SZ 0.0.0.0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} DhcpSubnetMask REG_SZ 255.255.255.255
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NameServer REG_SZ
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3} NameServer REG_SZ 62.211.69.150 212.48.4.15
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\UPS\

Result compared: Different


-------------Comparing registry keys CCS1 vs CCS3 -------------
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\ACPI\Grou
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F00000000000000000000000000000001F9E145F900000000000000000000000000000001F9E1450100000000000000000000000000000001F9E1452B00000000000000000000000000000001F9E1452C00000000000000000000000000000001F9E1450600000000000000000000000000000001F9E145
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Dhcp\Parameters {716F82CC-0AC0-42FF-B946-16F4D35AC5F3} REG_BINARY 0F00000000000000000000000000000052B2E145F900000000000000000000000000000052B2E1450100000000000000000000000000000052B2E1452B00000000000000000000000000000052B2E1452C00000000000000000000000000000052B2E1450600000000000000000000000000000052B2E145
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Security
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Spooler
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\lanmanserver\Shares\\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\MEMSWEEP2
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 753 (0x2F1)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\SharedAccess\Epoch Epoch REG_DWORD 736 (0x2E0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3\DosDevices\COM3
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\smserial\Parameters DosDevice REG_SZ \DosDevices\COM3
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\UPS\

Result compared: Different


-------------List of running services -------------



000) "ALG" - Servizio Gateway di livello applicazione
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\alg.exe

001) "Ati HotKey Poller" - Ati HotKey Poller
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\Ati2evxx.exe

002) "AudioSrv" - Audio Windows
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

003) "CryptSvc" - Servizi di crittografia
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

004) "DcomLaunch" - Utilità di avvio processo server DCOM
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost -k DcomLaunch

005) "Dhcp" - Client DHCP
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

006) "dmserver" - Gestione dischi logici
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

007) "Dnscache" - Client DNS
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k NetworkService

008) "EPSONStatusAgent2" - EPSON Printer Status Agent2
---> STAT = (RUNNING) Started automatically
---> FILE = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe

009) "ERSvc" - Servizio di segnalazione errori
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

010) "Eventlog" - Registro eventi
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\services.exe

011) "EventSystem" - Sistema di eventi COM+
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

012) "FastUserSwitchingCompatibility" - Compatibilità di Cambio rapido utente
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

013) "helpsvc" - Guida in linea e supporto tecnico
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

014) "lanmanserver" - Server
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

015) "lanmanworkstation" - Workstation
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

016) "LmHosts" - Helper NetBIOS di TCP/IP
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

017) "Netman" - Connessioni di rete
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

018) "Nla" - NLA (Network Location Awareness)
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

019) "PlugPlay" - Plug and Play
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\services.exe

020) "PolicyAgent" - Servizi IPSEC
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\lsass.exe

021) "ProtectedStorage" - Archiviazione protetta
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\lsass.exe

022) "RasMan" - Connection Manager di Accesso remoto
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

023) "RemoteRegistry" - Registro di sistema remoto
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

024) "RpcSs" - RPC (Remote Procedure Call)
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost -k rpcss

025) "SamSs" - Gestione account di protezione (SAM)
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\lsass.exe

026) "Schedule" - Utilità di pianificazione
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

027) "seclogon" - Accesso secondario
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

028) "SENS" - Notifica eventi di sistema
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

029) "SharedAccess" - Windows Firewall / Condivisione connessione Internet (ICS)
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

030) "ShellHWDetection" - Rilevamento hardware shell
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

031) "Spooler" - Spooler di stampa
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\spoolsv.exe

032) "SSDPSRV" - Servizio di rilevamento SSDP
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

033) "TapiSrv" - Telefonia
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

034) "TermService" - Servizi terminal
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost -k DComLaunch

035) "Themes" - Temi
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

036) "TrkWks" - Manutenzione collegamenti distribuiti client
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

037) "W32Time" - Ora di Windows
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

038) "WebClient" - WebClient
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

039) "winmgmt" - Strumentazione gestione Windows
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

040) "wscsvc" - Centro sicurezza PC
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

041) "wuauserv" - Aggiornamenti automatici
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

042) "WZCSVC" - Zero Configuration reti senza fili
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs



..:: BOOT REGISTRY ::..

0) "SMSERIAL"
---> CMD = sm56hlpr.exe
---> FILE = C:\WINDOWS\System32\sm56hlpr.exe



-------------List of NOT running services -------------



000) "Alerter" - Avvisi
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

001) "AppMgmt" - Gestione applicazione
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

002) "aspnet_state" - ASP.NET State Service
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

003) "ATI Smart" - ATI Smart
---> STAT = (NOT RUNNING) Started automatically
---> FILE = C:\WINDOWS\SYSTEM32\ati2sgag.exe

004) "BITS" - Servizio trasferimento intelligente in background
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

005) "Browser" - Browser di computer
---> STAT = (NOT RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

006) "CiSvc" - Servizio di indicizzazione
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\cisvc.exe

007) "ClipSrv" - ClipBook
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\clipsrv.exe

008) "COMSysApp" - Applicazione di sistema COM+
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

009) "dmadmin" - Servizio amministrativo di Gestione disco logico
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\dmadmin.exe /com

010) "HidServ" - Accesso periferica Human Interface
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

011) "HTTPFilter" - SSL HTTP
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k HTTPFilter

012) "ImapiService" - Servizio COM di masterizzazione CD IMAPI
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\imapi.exe

013) "Messenger" - Messenger
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

014) "mnmsrvc" - Condivisione desktop remoto di NetMeeting
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\mnmsrvc.exe

015) "MSDTC" - Distributed Transaction Coordinator
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\msdtc.exe

016) "MSIServer" - Windows Installer
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\msiexec.exe /V

017) "NetDDE" - DDE di rete
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\netdde.exe

018) "NetDDEdsdm" - DDE DSDM di rete
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\netdde.exe

019) "Netlogon" - Accesso rete
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\lsass.exe

020) "NtLmSsp" - Provider supporto protezione LM NT
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\lsass.exe

021) "NtmsSvc" - Archivi rimovibili
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

022) "ose" - Office Source Engine
---> STAT = (NOT RUNNING) Started manually
---> FILE = "C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE"

023) "RasAuto" - Auto Connection Manager di Accesso remoto
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

024) "RDSessMgr" - Gestione sessione di assistenza mediante desktop remoto
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\sessmgr.exe

025) "RemoteAccess" - Routing e Accesso remoto
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

026) "RpcLocator" - RPC Locator
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\locator.exe

027) "RSVP" - QoS RSVP
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\rsvp.exe

028) "SCardSvr" - smart card
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\SCardSvr.exe

029) "srservice" - Servizio Ripristino configurazione di sistema
---> STAT = (NOT RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs

030) "stisvc" - Acquisizione di immagini di Windows (WIA)
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k imgsvc

031) "SwPrv" - MS Software Shadow Copy Provider
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\dllhost.exe /Processid:{E2076F12-9B30-4BB0-815D-F0EF020DD009}

032) "SysmonLog" - Avvisi e registri di prestazioni
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\smlogsvc.exe

033) "TlntSvr" - Telnet
---> STAT = (NOT RUNNING) Disabled
---> FILE = C:\WINDOWS\system32\tlntsvr.exe

034) "upnphost" - Host di periferiche Plug and Play universali
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService

035) "UPS" - Gruppo di continuità
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\ups.exe

036) "usnjsvc" - Servizio Messenger Sharing Folders USN Journal Reader
---> STAT = (NOT RUNNING) Started manually
---> FILE = "C:\Programmi\MSN Messenger\usnsvc.exe"

037) "VSS" - Copia replicata del volume
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\vssvc.exe

038) "WmdmPmSN" - Servizio Numero di serie per dispositivi multimediali portatili
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

039) "Wmi" - Estensioni driver di Strumentazione gestione Windows
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs

040) "WmiApSrv" - Scheda WMI Performance
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\system32\wbem\wmiapsrv.exe

041) "xmlprov" - Servizio Provisioning di rete
---> STAT = (NOT RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs



-------------List of running device driver services -------------



000) "ACPI" - Driver ACPI Microsoft
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\ACPI.sys

001) "AFD" - AFD
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = \SystemRoot\System32\drivers\afd.sys

002) "AmdK8" - Driver del processore AMD
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\AmdK8.sys

003) "AsyncMac" - Driver per supporti asincroni RAS
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\asyncmac.sys

004) "atapi" - Controller disco rigido IDE/ESDI standard
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\atapi.sys

005) "ati2mtag" - ati2mtag
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\ati2mtag.sys

006) "audstub" - Driver stub audio
---> STAT = (RUNNING) Started manually
---> FILE = system32\DRIVERS\audstub.sys

007) "Beep" - Beep
---> STAT = (RUNNING) Started by "IoInitSystem" function

008) "Cdfs" - Cdfs
---> STAT = (RUNNING) Disabled

009) "Cdrom" - Driver del CD-ROM
---> STAT = (RUNNING) Started by "IoInitSystem" function
---> FILE = system32\DRIVERS\cdrom.sys

010) "Disk" - Driver del disco
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\system32\DRIVERS\disk.sys

011) "dmio" - Driver Gestione dischi logici
---> STAT = (RUNNING) Started by operating system loader
---> FILE = \SystemRoot\System32\drivers\dmio.sys

012) "dmload" - dmload
---> STAT = (RUNNING)

[Luke57]

Ciao, non può entrarci tutto, lo devi inserire nel sito apposito come il precedente.

[zena]

ah ok scusa...ora lo faccio....

[zena]

eccolo:

file url: http://w12.easy-share.com/900613.html

html code <a target="_blank" href="http://w12.easy-share.com/900613.html">download</a>

bb code download

Use this url to delete this file:
http://w12.easy-share.com/900613/del_1m2xjtmo6vs36z3g

[zena]

è sempre tutto come all'inizio... si ricrea sempre tutte le volte che lo cancello sempre con nomi diversi....

[Luke57]

Ciao, con quali nomi si presenta?

[zena]

ciao, tutti nomi strani, ora non ne ricordo, appena ne leggo uno te lo scrivo, cmq l'icona è sempre la stessa e raffigura una bocca con le labbra rosse a sfondo bianco...

[Luke57]

Ciao, vai qui e scarica Virit ultima versione (se non l'hai)
http://www.tgsoft.it/italy/index_ita.html
aggiornalo alle ultime definizioni e fai una scansione.
Riavvia in mod.provvisoria ed esegui un’altra scansione.
Riavvia in mod.normale e Scarica Gmer da qui:
http://www.majorgeeks.com/GMER_d5198.html
scompatta il file .zip e avvia gmer.exe, con tutte le altre applicazioni chiuse.
Per entrare in Avanzate premi il tab>>>>. Poi scegli il tab Rootkit, spunta anche la casella ADS , fai uno Scan completo. Al termine clicca Copy e incolla il report in un file di testo.
Ritorna su Gmer, premi il tab Autostart (non spuntare la casella show all) e premi Scan. Al termine click su Copy e incolla il report nel medesimo foglio di testo.
Poi, copia e incolla i due report in un post nel forum. Posta anche i report delle scansioni di virit

[cicciozanna81]

non posso usare HijackThis, qualcuno può spiegarmi perchè?? appena lo apro mi si chiude subito da solo, deve essere tutta colpa del virus o qualcosa di simile, potete darmi una mano per favore?? grazie!!

Salve a tutti, io ho lo stesso problema con hijackthi ( non lo scrivo completo altrimenti succede il casotto -.-) ad ogni tentativo di esecuzione del programma automaticamente si chiude, e l'unico modo per farlo partire e' terminare dal task manager explorer.exe e aprire un nuovo processo sfogliando hijack..... manualmente, funziona solo con explorer.exe terminato questo e' il mio log se potete, datemi una mano vi ringrazio molto
ciau

Logfile of HijackThis v1.99.1
Scan saved at 0.38.45, on 14/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b47946.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04B82C00-816F-484C-8C0F-9580F08313B0}: NameServer = 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{04B82C00-816F-484C-8C0F-9580F08313B0}: NameServer = 208.67.222.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - C:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

[Luke57]

Ciao, devi individuare il processo che impedisce l'esecuzione di hijackthis, è il linkoptimizer che ha cambato modus operandi. Non necessariamente è un file con estensione .exe (in altri casi si è presentato con estensioni .log e .ver.), poi risalire alla voce di registro di sistema corrispondente e cecare di eliminare sia il valore di registro sia il file.

[cicciozanna81]

Ciao, devi individuare il processo che impedisce l'esecuzione di hijackthis, è il linkoptimizer che ha cambato modus operandi. Non necessariamente è un file con estensione .exe (in altri casi si è presentato con estensioni .log e .ver.), poi risalire alla voce di registro di sistema corrispondente e cecare di eliminare sia il valore di registro sia il file.

capisco, non sono molto esperto in materia purtroppo in ogni caso da come si presenta il problema, sembra che sto virus o come vogliamo chiamarlo sia entrato dentro explorer o tramite lui, perche anche il ccleaner mi da lo stesso problema, lo apro e si chiude automaticamente con un riavvio di apunto explorer, come mi consigli di agire per trovare la fonte di questo maledetto virus? grazie per l'aiuto luke
ciau

[Luke57]

Ciao, non è facile risalire al file che, in altri casi, ha estensioni finte variabili (da .log a .ver).
Prova a guardare in questa chiave del registro di sistema (segnalata negli altri due casi):
da start>esegui>regedit (lo digiti nello spazio)>OK
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
in pratica clicchi sul segno + accanto alla singola voce, espandendo il menu ad albero e arrivi, seguendo il percorso suddetto, fino alla cartella exlorerer e, se la trovi, riporta in un post che cosa trovi al suo interno.

[cicciozanna81]

ecco cosa c'e' in quella chiave di registro, spero di riuscire a risolvere

nome tipo dati
(predefinito) REG_SZ (valore non impostato)
Debugger REG_SZ "c:\windows\system32\aldrndkw.txt"


solo queste 2 stringhe oddio che esaurimento

[Luke57]

ecco cosa c'e' in quella chiave di registro, spero di riuscire a risolvere

nome tipo dati
(predefinito) REG_SZ (valore non impostato)
Debugger REG_SZ "c:\windows\system32\aldrndkw.txt"


solo queste 2 stringhe oddio che esaurimento

Ciao, apri il blocco note (start>esegui>notepad.exe (lo digiti nello spazio)>OK
Nella finestra che si apre, scegli iFile>Apri, nella nuova finestra n basso scegli l'opzione tutti i file , vai nel percorso :\windows\system32\aldrndkw.txt, trovi il file, lo selezioni, clicchi Apri. Nella miriade di simboli che appaiono dimmi se in alto c'è la firma MZ.

[cicciozanna81]

porca miseria mi da accesso negato sul file ho provato anche dal prompt dei comandi ad eseguire edit (nomefile) ma nulla non va, oltre questo ho trovato anche un file sospetto nei servizi di rete, che e' attualmente in esecuzione e non puo essere disattivato....(accesso negato) il file in questione e' in questo percorso :

C:\Programmi\File comuni\System\xYhyBb.exe.ren ho provato ad eliminarlo con killbox ma neanche lui me lo elimina, e neanche se scelgo di eliminarlo dopo il reboot in ogni caso provo a leggere questo txt in altri modi ..

[cicciozanna81]

sono riuscito ad aprire il txt, trascinandolo fuori dalla cartella dove era inserito, ed ho letto all'interno c'era esattamente scritto MZ all'inizio!

[Luke57]

Ciao, è una bestiaccia, sicuramente una variante più agguerrita del già noto linkoptimizer. Proviamo questa procedura.
Scarica AVGPfix da qui (è un cleaner puro):
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP

Poi apri il registro di sistema (start>esegui>regedt32 (lo digiti nello spazio)>OK)
Quando hai trovato il valore
Debugger REG_SZ "c:\windows\system32\aldrndkw.txt"
eliminalo (click tasto dx del mouse sulla voce e scegli Elimina. Se non si facesse eliminare, evidenzi la voce click tastodx> nella nuova finestra scegli Autorizzazioni>Avanzate>proprietario>imposti la proprietà al nome Utente>OK, torni alla pagina precedente metti tutte le spunte alle voci controllo completo e in lettura>OK. Provi poi a eliminare la voce con click tasto dx e scegli elimina.

Con Avgpfix elimini il file:
cc:\windows\system32\aldrndkw.txt
(lo lanci, premi start, individui il file
premi OK).

Poi scarica questi due tools:

http://www.prevx.com/gromozon.asp

Tool di rimozione della Symantec:
http://smallbiz.symantec.com/security_r ... 16-4153-99

Eseguili uno alla volta; disattiva il tuo antivirus durante la scansione.

Quello della prevx fa riavviare il computer e al riavvio viene completata la scansione, al termine della quale viene rilasciato un report che trovi in C:\Gromozon_Removal.log.

Poi esegui il tool della symantec (dalla modalità provvisoria; se
non sai come andarci, premi ripetutamente il tasto F8 all'accensione del computer prima che inizi a caricarsi windows; sulla schermata grigia che appare scegli modalità provvisoria spostandoti con le freccette e premendo invio).

Anche questo tool rilascia un rapporto della scansione nella cartella dove
hai messo il file (Fixlinkopt.log)

Posta i due report delle scansioni.

Inoltre scarica SystemScan
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verrà rilasciato in C:\suspectfile il file report.txt.
Vai su:
http://www.easy-share.com
carica il file (premendo Sfoglia e poi il tasto Upload) , ti sarà fornito l'URL per scaricarlo. Incolla in un post tale URL.

Avverti ogni qualvolta non riesci a eseguire le operazioni suggerite.