Jump to content


Photo
- - - - -

SUSPECTED TROJAN!


  • This topic is locked This topic is locked
72 replies to this topic

#21 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 02 September 2006 - 12:43 PM

Can you create a .reg file please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy all the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis]
"WinHeight"="8000"
"WinWidth"="9780"
"AutoSelect"="0"
"Confirm"="1"
"MakeBackup"="1"
"IgnoreSafe"="1"
"LogProcesses"="1"
"ShowIntroFrame"="1"
"DefStartPage"="about:blank"
"DefSearchPage"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"DefSearchAss"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"DefSearchCust"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"IgnoreNum"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"F-StopW"="C:\\Programmi\\FSI\\F-Prot\\F-StopW.EXE"
"FRISK FP-Scheduler"="C:\\Programmi\\FSI\\F-Prot\\F-Sched.exe"
"EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"!ewido"="\"C:\\Programmi\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Double click on fix.reg and allow to add/merge to the registry

==Download DelDomains.inf from HERE
Save it to desktop
If using a browser such as Firefox, Right click on that link and choose "Save link as.."

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Copy ALL the text contained in blue below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard


folders to delete:
C:\Program Files\DSB
C:\Program Files\E-nrgyPlus
C:\Program Files\SHA256
C:\Program Files\WIZZ



Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Can you check and set the following
1. Open Microsoft Internet Explorer.
2. Click Tools > Internet Options.
3. Click the Security tab.
4. Click the Internet Icon.
5. Click Default Level.
6. Click the Local Intranet Icon.
7. Click Sites.
8. Remove any Web sites from the list that you do not recognise or do not trust.
9. Click Default Level.
10. Click the Trusted sites Icon.
11. Click on Sites.
12. Remove any Web sites from the list that you do not recognise or do not trust.
13. Click Default Level.
14. Click the Restricted sites Icon.
15. Click Default Level on lower right corner of the window.
16. Click OK on lower right corner of the window.

You have SpywareBlaster 3.4 installed
Can you open it please, under Protection>>Disable ALL Protections
Access your Add/remove programs and remove all the following
My Search Bar
SpywareBlaster v3.4


I haven't seen the next one before, if you didn't purposely install it remove it
haka2 Screen Saver

Finally remove Spybot - Search & Destroy 1.3
Reboot the computer afterwards

Back in Windows
*Install SpywareBlaster 3.5.1 by JavaCool *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Get the newest version of Spybot
Download and Install Spybot 1.4 from
HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Back in Windows

This entry in your combofix log indicates you have changed your desktop background
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.htmb.it/m...ags/russia.gif"
Did you change to this on purpose?
If not, can you do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
7. Uncheck Everything here except for Pagina iniziale corrente if it is selected
OK your way out

Your uninstall list indicates you have Sygates' personal pro installed
Have you disabled it??
If not, it may be corrupt, access your add/remove programs and remove it
Reboot the computer afterwards
We can replace or reinstall it
Let me know if you paid for this please
Can you post back all the following

1. The log from Avenger
2. A fresh hijackthis log
3. Can you also double click on Export.bat again and post the contents

Can you also delete blbeta.exe from desktop
Try redownloading it again per instructions
Download and save too desktop
F-Secure Blacklight(blbeta.exe)

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".

EDIT>>Don't worry about the desktop.ini files your seeing right now
We have shown hidden files and folders
You normally wouldn't see them, we'll cover these up later

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#22 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 03 September 2006 - 06:29 AM

Well...
DelDomains.inf doesn't work...It says it can't install...
I deleted and re-install blbeta.exe,but it says always the same things...It can't work...

Fresh Hijack logfile:

Logfile of HijackThis v1.99.1
Scan saved at 14.27.38, on 03/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe

Avenger logfile:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aysiatsr

*******************

Script file located at: \??\C:\WINDOWS\System32\pquavwoh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Folder C:\Program Files\DSB not found!
Deletion of folder C:\Program Files\DSB failed!

Could not process line:
C:\Program Files\DSB
Status: 0xc0000034



Folder C:\Program Files\E-nrgyPlus not found!
Deletion of folder C:\Program Files\E-nrgyPlus failed!

Could not process line:
C:\Program Files\E-nrgyPlus
Status: 0xc0000034



Folder C:\Program Files\SHA256 not found!
Deletion of folder C:\Program Files\SHA256 failed!

Could not process line:
C:\Program Files\SHA256
Status: 0xc0000034



Folder C:\Program Files\WIZZ not found!
Deletion of folder C:\Program Files\WIZZ failed!

Could not process line:
C:\Program Files\WIZZ
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Export text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis]
"WinHeight"="8000"
"WinWidth"="9780"
"AutoSelect"="0"
"Confirm"="1"
"MakeBackup"="1"
"IgnoreSafe"="1"
"LogProcesses"="1"
"ShowIntroFrame"="1"
"DefStartPage"="about:blank"
"DefSearchPage"="http://www.microsoft...ie&ar=iesearch"
"DefSearchAss"="http://ie.search.msn...t/srchasst.htm"
"DefSearchCust"="http://ie.search.msn...t/srchcust.htm"
"IgnoreNum"="0"

#23 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 03 September 2006 - 09:13 AM

Are things running better now?
Did you remove Sygate's firewall from add/remove programs?

Can you create another .reg file
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy all the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix2.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Double click on fix2.reg and allow to add/merge to the registry

Reboot your computer
Back in Windows

Open SpywareBlaster 3.5.1, we will have to reeanble it's protections
Click on Protections>>Enable All Protections
When done you can exit

Can you ensure you disable F-Prot's realtime protector temporarily please
try Blacklight one last time
If it still won't work

Can I see if you can run another tool
Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#24 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 04 September 2006 - 03:42 AM

Well...I really don't know if my Real Time Protector is disabled,but Blacklight is still out of order!
This is my Gmer lofile:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-04 11:36:29
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F50A7143

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}
File C:\WINDOWS\teifk1.dll
File C:\WINDOWS\teifk1.upd

---- EOF - GMER 1.0.10 ----

Do I have to keep saved both of the fix.reg files?
Thanks

#25 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 04 September 2006 - 08:13 AM

Do I have to keep saved both of the fix.reg files?

No, you can right click on them and delete them

GMER showed a couple files that we should deal with
Can I see another log from GMER please
This is an instant log, won't take long to scan with
Open Gmer.exe again and click on the AutoStart tab
This time ensure there is a check in SHOW ALL
Click SCAN, when done
Click COPY
Then paste the contents back here please

EDIT>>Could I also get you to make another .bat file
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box , not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as find.bat

Save this file on the desktop

@echo off
cd\
cd C:\Programmi\File comuni\System
dir /a:-d /o:-d > %systemdrive%\find.txt
start %systemdrive%\find.txt
cls
exit
Double click on find.bat, copy>>Paste back here the contents
If it takes more than one reply to post all the above info, do so please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#26 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 04 September 2006 - 09:25 AM

Gmer logfile:

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-04 16:59:14
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session [email protected] = autocheck autochk * /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\SYSTEM\CurrentControlSet\Control\[email protected] = %SystemRoot%\system32\ntvdm.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostLogonUI.EXE = LogonUI.EXE

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
[email protected] = crypt32.dll
[email protected] = cryptnet.dll
[email protected] = cscdll.dll
[email protected] = wlnotify.dll
[email protected] = wlnotify.dll
[email protected] = sclgntfy.dll
[email protected] = WlNotify.dll
[email protected] = wlnotify.dll
[email protected] = wlnotify.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs = C:\:ntimaxp.gif

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AudioSrv /*Audio Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Browser /*Browser di computer*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
CryptSvc /*Servizi di crittografia*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
Dhcp /*Client DHCP*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
dmserver /*Gestione dischi logici*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Dnscache /*Client DNS*/@ = %SystemRoot%\System32\svchost.exe -k NetworkService
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
ERSvc /*Servizio di segnalazione errori*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Eventlog /*Registro eventi*/@ = %SystemRoot%\system32\services.exe
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe
helpsvc /*Guida in linea e supporto tecnico*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanserver /*Server*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanworkstation /*Workstation*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
LmHosts /*Helper NetBIOS di TCP/IP*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
PlugPlay /*Plug and Play*/@ = %SystemRoot%\system32\services.exe
PolicyAgent /*Servizi IPSEC*/@ = %SystemRoot%\System32\lsass.exe
ProtectedStorage /*Archiviazione protetta*/@ = %SystemRoot%\system32\lsass.exe
RemoteRegistry /*Registro di sistema remoto*/@ = %SystemRoot%\system32\svchost.exe -k LocalService
RpcSs /*RPC (Remote Procedure Call)*/@ = %SystemRoot%\system32\svchost -k rpcss
SamSs /*Gestione account di protezione (SAM)*/@ = %SystemRoot%\system32\lsass.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
seclogon /*Accesso secondario*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SENS /*Notifica eventi di sistema*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
ShellHWDetection /*Rilevamento hardware shell*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
srservice /*Servizio Ripristino configurazione di sistema*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Themes /*Temi*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
TrkWks /*Manutenzione collegamenti distribuiti client*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe
uploadmgr /*Upload Manager*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
W32Time /*Ora di Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WebClient /*WebClient*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
WinIts /*WinIts*/@ = "C:\Programmi\File comuni\System\BMb.exe"
winmgmt /*Strumentazione gestione Windows*/@ = %systemroot%\system32\svchost.exe -k netsvcs

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@EPSON Stylus C62 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
@!ewido"C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized = "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/ = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/
@PcSyncC:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/
@Yahoo! Pager"C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet = "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@PostBootReminder%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@CDBurn%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@WebCheck%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@SysTrayC:\WINDOWS\System32\stobject.dll = C:\WINDOWS\System32\stobject.dll

HKLM\Software\Classes\Folder\shell\open\[email protected] = %SystemRoot%\Explorer.exe /idlist,%I,%L

HKLM\Software\Classes\Folder\shell\explore\[email protected] = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L

HKLM\Software\Classes\ >>>
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" /S
[email protected] = C:\WINDOWS\System32\mshta.exe "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{AEB6717E-7E19-11d0-97EE-00C04FD91972}shell32.dll = shell32.dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{00022613-0000-0000-C000-000000000046} /*Proprietà dei file Multimedia*/mmsys.cpl = mmsys.cpl
@{176d6597-26d3-11d1-b350-080036a75b03} /*Gestore scanner ICM*/icmui.dll = icmui.dll
@{1F2E5C40-9550-11CE-99D2-00AA006E086C} /*Pagina di protezione NTFS*/rshx32.dll = rshx32.dll
@{3EA48300-8CF6-101B-84FB-666CCB9BCD32} /*Pagina di proprietà di Docfile OLE*/docprop.dll = docprop.dll
@{40dd6e20-7c17-11ce-a804-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/%SystemRoot%\System32\themeui.dll = %SystemRoot%\System32\themeui.dll
@{42071712-76d4-11d1-8b24-00a0c9068ff3} /*Estensione scheda video del Pannello di controllo*/deskadp.dll = deskadp.dll
@{42071713-76d4-11d1-8b24-00a0c9068ff3} /*Estensione monitor del Pannello di controllo*/deskmon.dll = deskmon.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{4E40F770-369C-11d0-8922-00A024AB2DBB} /*Pagina di protezione DS*/dssec.dll = dssec.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Pagina compatibilità*/SlayerXP.dll = SlayerXP.dll
@{56117100-C0CD-101B-81E2-00AA004AE837} /*Gestore dati dei ritagli di shell*/shscrap.dll = shscrap.dll
@{59099400-57FF-11CE-BD94-0020AF85B590} /*Estensione copia dischi*/diskcopy.dll = diskcopy.dll
@{59be4990-f85c-11ce-aff7-00aa003ca9f6} /*Estensioni shell per oggetti Rete Microsoft Windows*/ntlanui2.dll = ntlanui2.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*Gestore monitor ICM*/%SystemRoot%\System32\icmui.dll = %SystemRoot%\System32\icmui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*Gestore stampante ICM*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{764BF0E1-F219-11ce-972D-00AA00A14F56} /*Estensioni shell per la compressione dei file*/(null) =
@{77597368-7b15-11d0-a0c2-080036af3f03} /*Estensione shell per la stampante Web*/printui.dll = printui.dll
@{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll = dskquoui.dll
@{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} /*Menu di scelta rapida di crittografia*/(null) =
@{85BBD920-42A0-1069-A2E4-08002B30309D} /*Sincronia file*/syncui.dll = syncui.dll
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di HyperTerminal*/C:\WINDOWS\System32\hticons.dll = C:\WINDOWS\System32\hticons.dll
@{BD84B380-8CA2-1069-AB1D-08000948F534} /*Tipi di carattere*/fontext.dll = fontext.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*Profilo ICC*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} /*Pagina di protezione della stampante*/rshx32.dll = rshx32.dll
@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{f92e8c40-3d33-11d2-b1aa-080036a75b03} /*Display TroubleShoot CPL Extension*/deskperf.dll = deskperf.dll
@{7444C717-39BF-11D1-8CD9-00C04FC29D45} /*Estensione Crypto PKO*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7444C719-39BF-11D1-8CD9-00C04FC29D45} /*Estensione firma crittografata*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7007ACC7-3202-11D1-AAD2-00805FC1270E} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{992CFFA0-F557-101A-88EC-00DD010CCC48} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{E211B736-43FD-11D1-9EFB-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{905667aa-acd6-11d2-8080-00805f6596d2} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{3F953603-1008-4f6e-A73A-04AAC7A992F1} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{83bbcbf3-b28a-4919-a5aa-73027445d672} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{F0152790-D56E-4445-850E-4F3117DB740C} /*Remote Sessions CPL Extension*/C:\WINDOWS\System32\remotepg.dll = C:\WINDOWS\System32\remotepg.dll
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Estensione finestra proprietà di aggiornamento automatico*/C:\WINDOWS\System32\wuaueng.dll = C:\WINDOWS\System32\wuaueng.dll
@{60254CA5-953B-11CF-8C96-00AA00B8708C} /*Estensione shell per Windows Script Host*/C:\WINDOWS\System32\wshext.dll = C:\WINDOWS\System32\wshext.dll
@{2206CDB2-19C1-11D1-89E0-00C04FD7A829} /*Microsoft Data Link*/C:\Programmi\File comuni\System\Ole DB\oledb32.dll = C:\Programmi\File comuni\System\Ole DB\oledb32.dll
@{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Icon Handler*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Shell Extension*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{D6277990-4C6A-11CF-8D87-00AA0060F5BF} /*Operazioni pianificate*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{0DF44EAA-FF21-4412-828E-260A8728E7F1} /*Barra delle applicazioni e menu di avvio*/(null) =
@{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} /*Cerca*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} /*Esegui...*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} /*Posta elettronica*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524152} /*Tipi di carattere*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524153} /*Strumenti di amministrazione*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{E4B29F9D-D390-480b-92FD-7DDB47101D71} /*Wav Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{87D62D94-71B3-4b9a-9489-5FE6850DC73E} /*Avi Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{A6FD9E45-6E44-43f9-8644-08598F5A74D9} /*Midi Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{5E6AB780-7743-11CF-A12B-00AA004AE837} /*Barra degli strumenti Microsoft Internet*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{22BF0C20-6DA7-11D0-B373-00A0C9034938} /*Stato del download*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{91EA3F8B-C99B-11d0-9815-00C04FD91972} /*Shell Folder accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6413BA2C-B461-11d1-A18A-080036B11A03} /*Shell Folder 2 accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{F61FFEC1-754F-11d0-80CA-00AA005B4383} /*BandProxy*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7BA4C742-9E81-11CF-99D3-00AA004AE837} /*Microsoft BrowserBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*SearchBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{169A0691-8DF9-11d1-A1C4-00C04FD75D13} /*Ricerca all'interno*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{07798131-AF23-11d1-9111-00A0C98BA67D} /*Ricerca Web*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{AF4F6510-F982-11d0-8595-00AA004CD6D8} /*Utilità opzioni della struttura del Registro di sistema*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{01E04581-4EEE-11d0-BFE9-00AA005B4383} /*&Indirizzo*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{A08C11D2-A228-11d0-825B-00AA005B4383} /*Address EditBox*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2763-6A77-11D0-A535-00C04FD7D062} /*Completamento automatico Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7376D660-C583-11d0-A3A5-00C04FD706EC} /*TridentImageExtractor*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6756A641-DE71-11d0-831B-00AA005B4383} /*Elenco di Completamento automatico MRU*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} /*Elenco di Completamento automatico MRU personalizzato*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7e653215-fa25-46bd-a339-34a2790f3cb7} /*Accessibile*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{acf35015-526e-4230-9596-becbe19f0ac9} /*Indicatore di avanzamento popup*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{E0E11A09-5CB8-4B6C-8332-E00720A168F2} /*Parser della barra degli indirizzi*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2764-6A77-11D0-A535-00C04FD7D062} /*Elenco di Completamento automatico della Cronologia di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{03C036F1-A186-11D0-824A-00AA005B4383} /*Elenco di Completamento automatico di Shell Folder di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2765-6A77-11D0-A535-00C04FD7D062} /*Contenitore dell'elenco di Completamento automatico multiplo Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4E-521C-11D0-B792-00A0C90312E1} /*Shell Band Site Menu*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} /*Shell DeskBarApp*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4C-521C-11D0-B792-00A0C90312E1} /*Shell DeskBar*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4D-521C-11D0-B792-00A0C90312E1} /*Shell Rebar BandSite*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{DD313E04-FEFF-11d1-8ECD-0000F87A470C} /*Assistenza utente*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} /*Impostazioni cartella globale*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{0A89A860-D7B1-11CE-8350-444553540000} /*Shell Automation Inproc Service*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} /*Microsoft Browser Architecture*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/shdocvw.dll = shdocvw.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Servizio Cronologia Url Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*Cronologia*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Hook per la ricerca di URL Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} /*Schermata iniziale applicazioni Internet Explorer 4*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{67EA19A0-CCEF-11d0-8024-00C04FD75D13} /*CDF Extension Copy Hook*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{131A6951-7F78-11D0-A979-00C04FD705A2} /*ISFBand OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{9461b922-3c5a-11d2-bf8b-00c04fb93661} /*Search Assistant OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{EFA24E64-B078-11d0-89E4-00C04FC9E26E} /*Explorer Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\System32\sendmail.dll = C:\WINDOWS\System32\sendmail.dll
@{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\System32\sendmail.dll = C:\WINDOWS\System32\sendmail.dll
@{88C6C381-2E85-11D0-94DE-444553540000} /*Cartella cache ActiveX*/%SystemRoot%\System32\occache.dll = %SystemRoot%\System32\occache.dll
@{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /*WebCheck*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} /*Subscription Mgr*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{F5175861-2688-11d0-9C5E-00AA00A45957} /*Cartella Subscription*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{08165EA0-E946-11CF-9C87-00AA005127ED} /*WebCheckWebCrawler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} /*WebCheckChannelAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} /*TrayAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{7D559C10-9FE9-11d0-93F7-00AA0059CE02} /*Code Download Agent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} /*ConnectionAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{D8BD2030-6FC9-11D0-864F-00AA006809D9} /*PostAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} /*WebCheck SyncMgr Handler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{352EC2B7-8B9A-11D1-B8AE-006008059382} /*Gestione applicazioni shell*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{0B124F8F-91F0-11D1-B8B5-006008059382} /*Enumeratore applicazioni installate*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{CFCCC7A0-A282-11D1-9082-006008059382} /*Darwin App Publisher*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{e84fda7c-1d6a-45f6-b725-cb260c236066} /*Shell Image Verbs*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} /*Shell Image Data Factory*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*GDI + programma di estrazione file in anteprima*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{9DBD2C50-62AD-11d0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{EAB841A0-9550-11cf-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} /*Shell Image Property Handler*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Pubblicazione guidata sul Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Ordinazione di stampe tramite Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Oggetto Pubblicazione guidata sul Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{58f1f272-9240-4f51-b6d4-fd63d1618591} /*Creazione guidata profilo Passport*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{7A9D77BD-5403-11d2-8785-2E0420524153} /*Account utente*/(null) =
@{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} /*Cartella compressa*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{BD472F60-27FA-11cf-B8B4-444553540000} /*Compressed (zipped) Folder Right Drag Handler*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} /*Compressed (zipped) Folder SendTo Target*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{f39a0dc0-9cc8-11d0-a599-00c04fd64433} /*File del canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} /*Collegamento al canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} /*Channel Handler Object*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3da0dc0-9cc8-11d0-a599-00c04fd64437} /*Channel Menu*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} /*Channel Properties*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{63da6ec0-2e98-11cf-8d82-444553540000} /*FTP Folders Webview*/C:\WINDOWS\System32\msieftp.dll = C:\WINDOWS\System32\msieftp.dll
@{883373C3-BF89-11D1-BE35-080036B11A03} /*Microsoft DocProp Shell Ext*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{A9CF0EAE-901A-4739-A481-E35B73E47F6D} /*Microsoft DocProp Inplace Edit Box Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{8EE97210-FD1F-4B19-91DA-67914005F020} /*Microsoft DocProp Inplace ML Edit Box Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} /*Microsoft DocProp Inplace Droplist Combo Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{6A205B57-2567-4A2C-B881-F787FAB579A3} /*Microsoft DocProp Inplace Calendar Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} /*Microsoft DocProp Inplace Time Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{8A23E65E-31C2-11d0-891C-00A024AB2DBB} /*Directory Query UI*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} /*Directory Object Find*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{F020E586-5264-11d1-A532-0000F8757D7E} /*Directory Start/Search Find*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{0D45D530-764B-11d0-A1CA-00AA00C16E65} /*Directory Property UI*/%SystemRoot%\System32\dsuiext.dll = %SystemRoot%\System32\dsuiext.dll
@{62AE1F9A-126A-11D0-A14B-0800361B1103} /*Directory Context Menu Verbs*/%SystemRoot%\System32\dsuiext.dll = %SystemRoot%\System32\dsuiext.dll
@{ECF03A33-103D-11d2-854D-006008059367} /*MyDocs Copy Hook*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{ECF03A32-103D-11d2-854D-006008059367} /*MyDocs Drop Target*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{4a7ded0a-ad25-11d0-98a8-0800361b1103} /*MyDocs Properties*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{750fdf0e-2a26-11d1-a3ea-080036587f03} /*Offline Files Menu*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{10CFC467-4392-11d2-8DB4-00C04FA31A66} /*Offline Files Folder Options*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} /*Cartella file non in linea*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{143A62C8-C33B-11D1-84FE-00C04FA34A14} /*Microsoft Agent Character Property Sheet Handler*/C:\WINDOWS\msagent\agentpsh.dll = C:\WINDOWS\msagent\agentpsh.dll
@{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} /*DfsShell*/C:\WINDOWS\System32\dfsshlex.dll = C:\WINDOWS\System32\dfsshlex.dll
@{60fd46de-f830-4894-a628-6fa81bc0190d} /*%DESC_PublishDropTarget%*/%SystemRoot%\System32\photowiz.dll = %SystemRoot%\System32\photowiz.dll
@{7A80E4A8-8005-11D2-BCF8-00C04F72C717} /*MMC Icon Handler*/%SystemRoot%\System32\mmcshext.dll = %SystemRoot%\System32\mmcshext.dll
@{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} /*.CAB file viewer*/cabview.dll = cabview.dll
@{32714800-2E5F-11d0-8B85-00AA0044F941} /*&Contatti...*/C:\Programmi\Outlook Express\wabfind.dll = C:\Programmi\Outlook Express\wabfind.dll
@{8DD448E6-C188-4aed-AF92-44956194EB1F} /*Windows Media Player Play as Playlist Context Menu Handler*/C:\WINDOWS\System32\wmpshell.dll = C:\WINDOWS\System32\wmpshell.dll
@{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} /*Windows Media Player Burn Audio CD Context Menu Handler*/C:\WINDOWS\System32\wmpshell.dll = C:\WINDOWS\System32\wmpshell.dll
@{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} /*Windows Media Player Add to Playlist Context Menu Handler*/C:\WINDOWS\System32\wmpshell.dll = C:\WINDOWS\System32\wmpshell.dll
@{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{1D2680C9-0E2A-469d-B787-065558BC7D43} /*Fusion Cache*/C:\WINDOWS\system32\mscoree.dll = C:\WINDOWS\system32\mscoree.dll
@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} /*FRISK extension*/C:\Programmi\FSI\F-Prot\shexthk.dll = C:\Programmi\FSI\F-Prot\shexthk.dll
@{E443A8D5-D905-4401-8789-16AE23A8A96D} /*FRISK extension*/C:\Programmi\FSI\F-Prot\shexthk.dll = C:\Programmi\FSI\F-Prot\shexthk.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{640167b4-59b0-47a6-b335-a6b3c0695aea} /*Portable Media Devices*/%SystemRoot%\System32\Audiodev.dll = %SystemRoot%\System32\Audiodev.dll
@{cc86590a-b60a-48e6-996b-41d25ed39a1e} /*Portable Media Devices Menu*/%SystemRoot%\System32\Audiodev.dll = %SystemRoot%\System32\Audiodev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} /*PhoneBrowser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\[email protected]{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ewido [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
Offline [email protected]{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Open [email protected]{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
Open With [email protected]{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\[email protected]{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} = %SystemRoot%\system32\SHELL32.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
[email protected]{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
ewido [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
[email protected]{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} = C:\Programmi\FSI\F-Prot\shexthk.dll
Offline [email protected]{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
[email protected]{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
@{9394EDE7-C8B5-483E-8773-474BF36AF6E4}C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll = C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar1.dll = c:\programmi\google\googletoolbar1.dll
@{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll = C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll

HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\ssstars.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft...p...&ar=msnhome
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.msn.it/ = http://www.msn.it/
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/[email protected] = C:\WINDOWS\System32\mscoree.dll
application/[email protected] = C:\WINDOWS\System32\mscoree.dll
application/[email protected] = C:\WINDOWS\System32\mscoree.dll
Class Install [email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
text/[email protected] = %SystemRoot%\system32\SHELL32.dll

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\System32\msvidctl.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = %SystemRoot%\System32\inetcomm.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\System32\msvidctl.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\System32\msdxm.ocx
[email protected] = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\[email protected] =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{346CE3E6-CEFF-487D-8062-41622532CFC9} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress90.0.0.100 = 90.0.0.100
@NameServer212.216.172.62,212.216.172.162 = 212.216.172.62,212.216.172.162
@DefaultGateway90.0.0.1 = 90.0.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
[email protected] = %SystemRoot%\System32\mswsock.dll
[email protected] = %SystemRoot%\System32\winrnr.dll
[email protected] = %SystemRoot%\System32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\rsvpsp.dll
[email protected] = %SystemRoot%\system32\rsvpsp.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\[email protected] = %SystemRoot%\system32\mswsock.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----


Find.bat logfile:

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 3C7A-1113

Directory di C:\Programmi\File comuni\System

04/09/2006 17.09 101.376 IWmD.exe
21/08/2006 16.10 135.168 SYSTEM.MDW
02/03/2004 13.43 463.360 WAB32.DLL
23/10/2002 16.44 75.776 DIRECTDB.DLL
09/09/2002 15.48 254.464 wab32res.dll
03/03/2000 15.37 119.504 SNAPVIEW.OCX
6 File 1.149.648 byte
0 Directory 33.348.796.416 byte disponibili

#27 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 04 September 2006 - 09:52 AM

Good work, that uncovered some problems
can I just check on a couple things
Then we'll fix this thing

Go to either of these links
http://www.virustota...h/index_en.html
OR
http://virusscan.jotti.org/
OR
Virus.org

Use the browse button and navigate to these files on your harddrive
C:\:ntimaxp.gif
C:\Programmi\File comuni\System\IWmD.exe
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Also, can you create one more .bat file :)
This time name it find2.bat

Copy>>paste the code box contents to it
regedit /e Export.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIts"

Double click on it, post back the contents

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#28 Blake22

Blake22

    Newbie

  • Newbie
  • Pip
  • 3 posts

Posted 04 September 2006 - 10:11 AM

REMOVED
Please don't jump into this thread

Do you need a hand with something?
By indication of this post
http://www.thetechgu...h...c=41072&hl=
You may have malware on your computer

Can you start your own post in this forum and supply your own hijackthis log please
Here's the instructions
From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log back to the forum in your own topic.. Don't try and fix anything yet----It is all important

Edited by guestolo, 04 September 2006 - 10:18 AM.


#29 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 04 September 2006 - 10:17 AM

Blake22, I've edited your reply to this thread
See above for details

For Joy, just to ensure you seen my last reply to you, I'll post it again

Good work, that uncovered some problems
can I just check on a couple things
Then we'll fix this thing

Go to either of these links
http://www.virustota...h/index_en.html
OR
http://virusscan.jotti.org/
OR
Virus.org

Use the browse button and navigate to these files on your harddrive
C:\:ntimaxp.gif
C:\Programmi\File comuni\System\IWmD.exe
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Also, can you create one more .bat file :)
This time name it find2.bat

Copy>>paste the code box contents to it

regedit /e Export.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIts"

Double click on it, post back the contents

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#30 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 05 September 2006 - 03:22 AM

First of all...I didn't find this file:
C:\:ntimaxp.gif

I didn't find this second file C:\Programmi\File comuni\System\IWmD.exe, bur I know why...It was in my PC yesterday, today it has another name...So I checked this two strange files found in the same place of the one you told me to scan:

STATUS: FINISHEDComplete scanning result of "CrW.exe", received in VirusTotal at 09.05.2006, 10:57:25 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709


STATUS: FINISHEDComplete scanning result of "slrT.exe", received in VirusTotal at 09.05.2006, 11:00:32 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

Another site you told me says for both files:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

The two files, "CrW.exe" and "slrT.exe",are written in green,I don't know why, but it's strange and continually change names...
thyanks for now...
Bye


Oh...find2.bat didn't produce any log to post you back...I saw a prompt box while find2.bat was running,but at the end it didn't produce any file\log or text to send to you!

Bye

#31 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 05 September 2006 - 08:03 AM

Thanks for the info
I'm just on my way to work
In the meantime

Let's try the following
Copy ALL the text contained in blue below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard


Files to delete:
C:\:ntimaxp.gif
C:\Programmi\File comuni\System\BMb.exe
C:\Programmi\File comuni\System\CrW.exe
C:\Programmi\File comuni\System\slrT.exe
C:\WINDOWS\teifk1.dll
C:\WINDOWS\teifk1.upd

registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIts




Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows

Can you post the following
1. Post a fresh hijackthis log
2. Double click on find.bat again and post the contents

Again, can you try to run Blacklight, if it won't run, try running Debug.bat in the NTRights folder you downloaded earlier and then try it again please
If it will run, post the log from it

Note to self: Use
Drivers to Unload: with Avenger concerning this entry
registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIts
My mistake

Edited by guestolo, 16 September 2006 - 02:37 PM.

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#32 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 06 September 2006 - 02:21 AM

Well...finally i'm here
Something strange happened...All the icons on my desktop disappeared for two days,the only thing I was able to open was the Task Manager box...And from there I rebooted my Pc and restore from the 3 of September,so now I don't know if all the things you told me to do are done!
I was so scared that I did this kind of repair!
Now I rebooted my pc and a Windows box says that "the Disk is not present,impossible to find.Insert a disk in the unit A:"
What should I do???
I'm really warried!

#33 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 06 September 2006 - 02:37 AM

I rebooted the computer and the Windows box doesn't appear anymore...But another box appeared and tell me that a peripheric linked to the system is not working (I don't know if the translation is right...I hope you understand).
In any case I post you a fresh HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10.34.45, on 06/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe

Help me please...
And sorry if I destroyed all your past work...but I was scared by the disappearing of all the icons and Windows tab from the desktop...I hope I did nothing wrong...I wasn't able to get to internet too...
sorry.... :(

#34 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 06 September 2006 - 07:51 AM

Just on my way to work again
That is strange
Did this happen After you did my last set of instructions?

Can you do the following for me please
Download WPFind.zip

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode
copy/paste the whole contents of c:\WinPFind\WinPFind.txt <-this file back here

Also,
Open GMER.exe and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Also, In Gmer
Can you again, click on the AutoStart tab
This time ensure there is a check in SHOW ALL
Click SCAN, when done
Click COPY
Then paste the contents back here please

It may take more than one reply to post back all the info

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#35 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 06 September 2006 - 09:57 AM

Here I am...

WinPFind logfile:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 06/09/2006 17.42.08
WinPFind v1.5.0 Folder = C:\WinPFind\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 21/12/1999 7.58.02 21312 C:\WINDOWS\choice.exe ()

Items found in C:\WINDOWS\hosts

UPX! 15/05/2003 3.35.58 1114744 C:\WINDOWS\screengenie.scr (XMLAuthor Inc.)

Checking %System% folder...
UPX! 06/02/2003 22.49.32 726016 C:\WINDOWS\SYSTEM32\beegd10.ocx (Stinga)
UPX! 06/07/2000 0.03.36 29184 C:\WINDOWS\SYSTEM32\clsncx22.dll (Summit Software Company)
UPX! 06/07/2000 0.16.52 16384 C:\WINDOWS\SYSTEM32\clsnol22.dll (Summit Software Company)
UPX! 06/07/2000 0.02.38 48128 C:\WINDOWS\SYSTEM32\clsnpb22.dll (Summit Software Company)
UPX! 06/07/2000 0.16.36 226816 C:\WINDOWS\SYSTEM32\clsnrn22.dll (Summit Software Company)
PEC2 31/08/2001 16.00.00 41144 C:\WINDOWS\SYSTEM32\dfrg.msc ()
UPX! 24/05/2003 0.04.24 313344 C:\WINDOWS\SYSTEM32\GnucDNA.dll (John Marshall)
UPX! 15/05/2003 3.35.36 134776 C:\WINDOWS\SYSTEM32\mfimage.dll (XMLAuthor Inc.)
UPX! 15/05/2003 3.35.48 33912 C:\WINDOWS\SYSTEM32\npmirage.dll (XMLAuthor Inc.)
WSUD 31/08/2001 16.00.00 1156096 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
WSUD 31/08/2001 16.00.00 258048 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 09/09/2002 15.51.08 648704 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 31/08/2001 16.00.00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
UPX! 15/05/2003 3.35.58 1114744 C:\WINDOWS\SYSTEM32\xmforgert.exe (XMLAuthor Inc.)
UPX! 15/05/2003 3.36.06 133752 C:\WINDOWS\SYSTEM32\xmirage.ocx (XMLAuthor Inc.)

Checking %System%\Drivers folder and sub-folders...
aspack 10/02/2004 16.37.24 319652 C:\WINDOWS\SYSTEM32\drivers\FSTOPW.sys (Frisk Software International - www.f-prot.com)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
06/09/2006 17.40.30 S 2048 C:\WINDOWS\bootstat.dat ()
03/09/2006 13.00.52 H 8628 C:\WINDOWS\Help\netcfg.GID ()
06/09/2006 17.40.22 H 8192 C:\WINDOWS\system32\config\default.LOG ()
06/09/2006 17.40.42 H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
06/09/2006 17.40.32 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG ()
06/09/2006 17.47.42 H 77824 C:\WINDOWS\system32\config\software.LOG ()
06/09/2006 17.40.30 H 778240 C:\WINDOWS\system32\config\system.LOG ()
27/08/2006 14.42.44 HS 67 C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\desktop.ini ()
06/09/2006 10.15.32 HS 67 C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\05EVS5EN\desktop.ini ()
06/09/2006 10.15.32 HS 67 C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\4XMFOPYV\desktop.ini ()
06/09/2006 10.15.32 HS 67 C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\K1Y3W1QB\desktop.ini ()
06/09/2006 10.15.32 HS 67 C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\MZIHENG3\desktop.ini ()
06/09/2006 17.38.58 H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
31/08/2001 16.00.00 68096 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
29/05/2003 11.52.00 583168 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
09/09/2002 15.51.44 132096 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
31/08/2001 16.00.00 151040 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
09/09/2002 15.51.44 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
09/09/2002 15.51.44 124928 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
09/09/2002 15.51.44 66560 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
10/11/2005 14.03.50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
31/08/2001 16.00.00 188928 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
31/08/2001 16.00.00 564736 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
31/08/2001 16.00.00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
31/08/2001 16.00.00 258048 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
31/08/2001 16.00.00 37376 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
31/08/2001 16.00.00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
31/08/2001 16.00.00 111616 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
09/09/2002 15.51.44 271360 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
31/08/2001 16.00.00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
31/08/2001 16.00.00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
31/08/2001 16.00.00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
29/05/2003 11.52.00 583168 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
09/09/2002 15.51.44 132096 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
31/08/2001 16.00.00 151040 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
09/09/2002 15.51.44 293376 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
09/09/2002 15.51.44 124928 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
09/09/2002 15.51.44 66560 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
31/08/2001 16.00.00 188928 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
31/08/2001 16.00.00 564736 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
31/08/2001 16.00.00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
31/08/2001 16.00.00 258048 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
31/08/2001 16.00.00 37376 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
31/08/2001 16.00.00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
31/08/2001 16.00.00 111616 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
09/09/2002 15.51.44 151552 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
09/09/2002 15.51.44 271360 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
31/08/2001 16.00.00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
31/08/2001 16.00.00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com...ex/qtplugin.cab
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky...can_unicode.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.micros...ontent/opuc.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.micros...b?1130251960698
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - Update Class - CodeBase = http://v4.windowsupd...8173.5024652778
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn...pdownloader.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zon...ro.cab32846.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.ma...ent/swflash.cab
{EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} - Microsoft Search Settings Control - CodeBase = http://lg.home.micro...rchsettings.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
09/05/2005 10.45.32 951 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk ()
30/08/2005 9.50.16 1654 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Alice ti aiuta.lnk ()
29/06/2006 18.46.42 1737 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk ()
05/07/2004 20.40.18 HS 84 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()
15/03/2006 12.35.08 1739 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk ()
13/04/2006 15.09.32 1498 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\WinZip Quick Pick.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
05/07/2004 21.25.54 HS 62 C:\Documents and Settings\All Users\Dati applicazioni\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
05/07/2004 20.40.18 HS 84 C:\Documents and Settings\Giorgia\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
05/07/2004 21.25.54 HS 62 C:\Documents and Settings\Giorgia\Dati applicazioni\desktop.ini ()
29/07/2004 15.06.54 0 C:\Documents and Settings\Giorgia\Dati applicazioni\dm.ini ()
05/09/2005 9.39.26 19544 C:\Documents and Settings\Giorgia\Dati applicazioni\GDIPFONTCACHEV1.DAT ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Search Page -
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - C:\WINDOWS\SYSTEM32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.msn.it/
\\Search Bar - http://home.microsof...obby/search.asp
\\Search Page - http://home.microsof...ss/allinone.asp
\\Local Page - C:\WINDOWS\SYSTEM32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://ie.search.msn...st/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
\\SearchAssistant - http://ie.search.msn...st/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Hook per la ricerca di URL Microsoft = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
\{9394EDE7-C8B5-483E-8773-474BF36AF6E4} - ST = C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
\{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\programmi\google\googletoolbar1.dll (Google Inc.)
\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSNToolBandBHO = C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll (Microsoft Corporation)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - = ()
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Suggerimenti = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{30D02401-6A81-11D0-8274-00C04FD5AE38} - SearchBand = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - = ()
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Indirizzo = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - Co&llegamenti = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\ShellBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} - = ()
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Indirizzo = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\programmi\google\googletoolbar1.dll (Google Inc.)
\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll (Microsoft Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar = ()
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - Co&llegamenti = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{A75C6120-9B36-11d4-A3F0-009027427750} - 0 =
\\NEXTID - 3
\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 1 = Yahoo! Messenger
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 2 = Sun Java Console

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - ButtonText: Yahoo! Messenger = C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Estensione panoramica video del Pannello di controllo = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Estensioni shell per la compressione dei file = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Menu di scelta rapida di crittografia = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - Estensione di icona di HyperTerminal = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Barra delle applicazioni e menu di avvio = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - Account utente = ()
\\{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} - FRISK extension = C:\Programmi\FSI\F-Prot\shexthk.dll ()
\\{E443A8D5-D905-4401-8789-16AE23A8A96D} - FRISK extension = C:\Programmi\FSI\F-Prot\shexthk.dll ()
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = ()
\\{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} - PhoneBrowser = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll (Nokia)
\\{FBFE7864-D495-41f0-B7DC-4BB601CC295E} - Contact View = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll (Nokia)
\\{C0C4375A-5B72-4efe-929D-3B848C3A1E91} - Message View = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll (Nokia)
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\FRISK - {1474F601-9B4B-4EB0-81FA-20F753C0E1A4} = C:\Programmi\FSI\F-Prot\shexthk.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Cmaudio - RunDll32 cmicnfg.cpl ()
F-StopW - C:\Programmi\FSI\F-Prot\F-StopW.EXE (Frisk Software International)
FRISK FP-Scheduler - C:\Programmi\FSI\F-Prot\F-Sched.exe (FRISK Software International)
EPSON Stylus C62 Series - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE (SEIKO EPSON CORPORATION)
!ewido - C:\Programmi\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)
MSConfig - C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr - C:\Programmi\MSN Messenger\MsnMsgr.Exe ()
PcSync - C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
Yahoo! Pager - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe (Motive Communications, Inc.)
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\WinZip Quick Pick.lnk - C:\Programmi\WinZip\WZQKPICK.EXE (WinZip Computing LP)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Giorgia\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\E-nrgyPlus - |

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - Hook per l'esecuzione degli URL = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{346CE3E6-CEFF-487D-8062-41622532CFC9} - 212.216.172.62,212.216.172.162 (3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX))
{41827364-1C22-44FE-B3FC-A233321B22F1} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#36 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 06 September 2006 - 10:21 AM

Gmer Rootkit logfile:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-06 18:16:29
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}
File C:\WINDOWS\teifk1.dll
File C:\WINDOWS\teifk1.upd

---- EOF - GMER 1.0.10 ----


Gmer Autostart logfile:

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-06 18:17:41
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session [email protected] = autocheck autochk * /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\SYSTEM\CurrentControlSet\Control\[email protected] = %SystemRoot%\system32\ntvdm.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostLogonUI.EXE = LogonUI.EXE

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
[email protected] = crypt32.dll
[email protected] = cryptnet.dll
[email protected] = cscdll.dll
[email protected] = wlnotify.dll
[email protected] = wlnotify.dll
[email protected] = sclgntfy.dll
[email protected] = WlNotify.dll
[email protected] = wlnotify.dll
[email protected] = wlnotify.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs = C:\:ntimaxp.gif

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AudioSrv /*Audio Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Browser /*Browser di computer*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
CryptSvc /*Servizi di crittografia*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
Dhcp /*Client DHCP*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
dmserver /*Gestione dischi logici*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Dnscache /*Client DNS*/@ = %SystemRoot%\System32\svchost.exe -k NetworkService
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
ERSvc /*Servizio di segnalazione errori*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Eventlog /*Registro eventi*/@ = %SystemRoot%\system32\services.exe
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe
helpsvc /*Guida in linea e supporto tecnico*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanserver /*Server*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanworkstation /*Workstation*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
LmHosts /*Helper NetBIOS di TCP/IP*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
PlugPlay /*Plug and Play*/@ = %SystemRoot%\system32\services.exe
PolicyAgent /*Servizi IPSEC*/@ = %SystemRoot%\System32\lsass.exe
ProtectedStorage /*Archiviazione protetta*/@ = %SystemRoot%\system32\lsass.exe
RemoteRegistry /*Registro di sistema remoto*/@ = %SystemRoot%\system32\svchost.exe -k LocalService
RpcSs /*RPC (Remote Procedure Call)*/@ = %SystemRoot%\system32\svchost -k rpcss
SamSs /*Gestione account di protezione (SAM)*/@ = %SystemRoot%\system32\lsass.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
seclogon /*Accesso secondario*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SENS /*Notifica eventi di sistema*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
ShellHWDetection /*Rilevamento hardware shell*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
srservice /*Servizio Ripristino configurazione di sistema*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Themes /*Temi*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
TrkWks /*Manutenzione collegamenti distribuiti client*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe
uploadmgr /*Upload Manager*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
W32Time /*Ora di Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WebClient /*WebClient*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
WinIts /*WinIts*/@ = "C:\Programmi\File comuni\System\xXrd.exe"
winmgmt /*Strumentazione gestione Windows*/@ = %systemroot%\system32\svchost.exe -k netsvcs

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@F-StopWC:\Programmi\FSI\F-Prot\F-StopW.EXE = C:\Programmi\FSI\F-Prot\F-StopW.EXE
@FRISK FP-SchedulerC:\Programmi\FSI\F-Prot\F-Sched.exe = C:\Programmi\FSI\F-Prot\F-Sched.exe
@EPSON Stylus C62 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
@!ewido"C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized = "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/ = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/
@PcSyncC:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/
@Yahoo! Pager"C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet = "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@PostBootReminder%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@CDBurn%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@WebCheck%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@SysTrayC:\WINDOWS\System32\stobject.dll = C:\WINDOWS\System32\stobject.dll

HKLM\Software\Classes\Folder\shell\open\[email protected] = %SystemRoot%\Explorer.exe /idlist,%I,%L

HKLM\Software\Classes\Folder\shell\explore\[email protected] = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L

HKLM\Software\Classes\ >>>
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" %*
[email protected] = "%1" /S
[email protected] = C:\WINDOWS\System32\mshta.exe "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{AEB6717E-7E19-11d0-97EE-00C04FD91972}shell32.dll = shell32.dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{00022613-0000-0000-C000-000000000046} /*Proprietà dei file Multimedia*/mmsys.cpl = mmsys.cpl
@{176d6597-26d3-11d1-b350-080036a75b03} /*Gestore scanner ICM*/icmui.dll = icmui.dll
@{1F2E5C40-9550-11CE-99D2-00AA006E086C} /*Pagina di protezione NTFS*/rshx32.dll = rshx32.dll
@{3EA48300-8CF6-101B-84FB-666CCB9BCD32} /*Pagina di proprietà di Docfile OLE*/docprop.dll = docprop.dll
@{40dd6e20-7c17-11ce-a804-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/%SystemRoot%\System32\themeui.dll = %SystemRoot%\System32\themeui.dll
@{42071712-76d4-11d1-8b24-00a0c9068ff3} /*Estensione scheda video del Pannello di controllo*/deskadp.dll = deskadp.dll
@{42071713-76d4-11d1-8b24-00a0c9068ff3} /*Estensione monitor del Pannello di controllo*/deskmon.dll = deskmon.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{4E40F770-369C-11d0-8922-00A024AB2DBB} /*Pagina di protezione DS*/dssec.dll = dssec.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Pagina compatibilità*/SlayerXP.dll = SlayerXP.dll
@{56117100-C0CD-101B-81E2-00AA004AE837} /*Gestore dati dei ritagli di shell*/shscrap.dll = shscrap.dll
@{59099400-57FF-11CE-BD94-0020AF85B590} /*Estensione copia dischi*/diskcopy.dll = diskcopy.dll
@{59be4990-f85c-11ce-aff7-00aa003ca9f6} /*Estensioni shell per oggetti Rete Microsoft Windows*/ntlanui2.dll = ntlanui2.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*Gestore monitor ICM*/%SystemRoot%\System32\icmui.dll = %SystemRoot%\System32\icmui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*Gestore stampante ICM*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{764BF0E1-F219-11ce-972D-00AA00A14F56} /*Estensioni shell per la compressione dei file*/(null) =
@{77597368-7b15-11d0-a0c2-080036af3f03} /*Estensione shell per la stampante Web*/printui.dll = printui.dll
@{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll = dskquoui.dll
@{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} /*Menu di scelta rapida di crittografia*/(null) =
@{85BBD920-42A0-1069-A2E4-08002B30309D} /*Sincronia file*/syncui.dll = syncui.dll
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di HyperTerminal*/C:\WINDOWS\System32\hticons.dll = C:\WINDOWS\System32\hticons.dll
@{BD84B380-8CA2-1069-AB1D-08000948F534} /*Tipi di carattere*/fontext.dll = fontext.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*Profilo ICC*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} /*Pagina di protezione della stampante*/rshx32.dll = rshx32.dll
@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{f92e8c40-3d33-11d2-b1aa-080036a75b03} /*Display TroubleShoot CPL Extension*/deskperf.dll = deskperf.dll
@{7444C717-39BF-11D1-8CD9-00C04FC29D45} /*Estensione Crypto PKO*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7444C719-39BF-11D1-8CD9-00C04FC29D45} /*Estensione firma crittografata*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7007ACC7-3202-11D1-AAD2-00805FC1270E} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{992CFFA0-F557-101A-88EC-00DD010CCC48} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{E211B736-43FD-11D1-9EFB-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{905667aa-acd6-11d2-8080-00805f6596d2} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{3F953603-1008-4f6e-A73A-04AAC7A992F1} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{83bbcbf3-b28a-4919-a5aa-73027445d672} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{F0152790-D56E-4445-850E-4F3117DB740C} /*Remote Sessions CPL Extension*/C:\WINDOWS\System32\remotepg.dll = C:\WINDOWS\System32\remotepg.dll
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Estensione finestra proprietà di aggiornamento automatico*/C:\WINDOWS\System32\wuaueng.dll = C:\WINDOWS\System32\wuaueng.dll
@{60254CA5-953B-11CF-8C96-00AA00B8708C} /*Estensione shell per Windows Script Host*/C:\WINDOWS\System32\wshext.dll = C:\WINDOWS\System32\wshext.dll
@{2206CDB2-19C1-11D1-89E0-00C04FD7A829} /*Microsoft Data Link*/C:\Programmi\File comuni\System\Ole DB\oledb32.dll = C:\Programmi\File comuni\System\Ole DB\oledb32.dll
@{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Icon Handler*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Shell Extension*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{D6277990-4C6A-11CF-8D87-00AA0060F5BF} /*Operazioni pianificate*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{0DF44EAA-FF21-4412-828E-260A8728E7F1} /*Barra delle applicazioni e menu di avvio*/(null) =
@{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} /*Cerca*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} /*Esegui...*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} /*Posta elettronica*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524152} /*Tipi di carattere*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524153} /*Strumenti di amministrazione*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{E4B29F9D-D390-480b-92FD-7DDB47101D71} /*Wav Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{87D62D94-71B3-4b9a-9489-5FE6850DC73E} /*Avi Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{A6FD9E45-6E44-43f9-8644-08598F5A74D9} /*Midi Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{5E6AB780-7743-11CF-A12B-00AA004AE837} /*Barra degli strumenti Microsoft Internet*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{22BF0C20-6DA7-11D0-B373-00A0C9034938} /*Stato del download*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{91EA3F8B-C99B-11d0-9815-00C04FD91972} /*Shell Folder accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6413BA2C-B461-11d1-A18A-080036B11A03} /*Shell Folder 2 accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{F61FFEC1-754F-11d0-80CA-00AA005B4383} /*BandProxy*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7BA4C742-9E81-11CF-99D3-00AA004AE837} /*Microsoft BrowserBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*SearchBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{169A0691-8DF9-11d1-A1C4-00C04FD75D13} /*Ricerca all'interno*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{07798131-AF23-11d1-9111-00A0C98BA67D} /*Ricerca Web*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{AF4F6510-F982-11d0-8595-00AA004CD6D8} /*Utilità opzioni della struttura del Registro di sistema*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{01E04581-4EEE-11d0-BFE9-00AA005B4383} /*&Indirizzo*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{A08C11D2-A228-11d0-825B-00AA005B4383} /*Address EditBox*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2763-6A77-11D0-A535-00C04FD7D062} /*Completamento automatico Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7376D660-C583-11d0-A3A5-00C04FD706EC} /*TridentImageExtractor*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6756A641-DE71-11d0-831B-00AA005B4383} /*Elenco di Completamento automatico MRU*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} /*Elenco di Completamento automatico MRU personalizzato*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7e653215-fa25-46bd-a339-34a2790f3cb7} /*Accessibile*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{acf35015-526e-4230-9596-becbe19f0ac9} /*Indicatore di avanzamento popup*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{E0E11A09-5CB8-4B6C-8332-E00720A168F2} /*Parser della barra degli indirizzi*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2764-6A77-11D0-A535-00C04FD7D062} /*Elenco di Completamento automatico della Cronologia di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{03C036F1-A186-11D0-824A-00AA005B4383} /*Elenco di Completamento automatico di Shell Folder di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2765-6A77-11D0-A535-00C04FD7D062} /*Contenitore dell'elenco di Completamento automatico multiplo Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4E-521C-11D0-B792-00A0C90312E1} /*Shell Band Site Menu*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} /*Shell DeskBarApp*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4C-521C-11D0-B792-00A0C90312E1} /*Shell DeskBar*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4D-521C-11D0-B792-00A0C90312E1} /*Shell Rebar BandSite*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{DD313E04-FEFF-11d1-8ECD-0000F87A470C} /*Assistenza utente*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} /*Impostazioni cartella globale*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{0A89A860-D7B1-11CE-8350-444553540000} /*Shell Automation Inproc Service*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} /*Microsoft Browser Architecture*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/shdocvw.dll = shdocvw.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Servizio Cronologia Url Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*Cronologia*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Hook per la ricerca di URL Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} /*Schermata iniziale applicazioni Internet Explorer 4*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{67EA19A0-CCEF-11d0-8024-00C04FD75D13} /*CDF Extension Copy Hook*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{131A6951-7F78-11D0-A979-00C04FD705A2} /*ISFBand OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{9461b922-3c5a-11d2-bf8b-00c04fb93661} /*Search Assistant OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{EFA24E64-B078-11d0-89E4-00C04FC9E26E} /*Explorer Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\System32\sendmail.dll = C:\WINDOWS\System32\sendmail.dll
@{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\System32\sendmail.dll = C:\WINDOWS\System32\sendmail.dll
@{88C6C381-2E85-11D0-94DE-444553540000} /*Cartella cache ActiveX*/%SystemRoot%\System32\occache.dll = %SystemRoot%\System32\occache.dll
@{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /*WebCheck*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} /*Subscription Mgr*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{F5175861-2688-11d0-9C5E-00AA00A45957} /*Cartella Subscription*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{08165EA0-E946-11CF-9C87-00AA005127ED} /*WebCheckWebCrawler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} /*WebCheckChannelAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} /*TrayAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{7D559C10-9FE9-11d0-93F7-00AA0059CE02} /*Code Download Agent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} /*ConnectionAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{D8BD2030-6FC9-11D0-864F-00AA006809D9} /*PostAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} /*WebCheck SyncMgr Handler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{352EC2B7-8B9A-11D1-B8AE-006008059382} /*Gestione applicazioni shell*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{0B124F8F-91F0-11D1-B8B5-006008059382} /*Enumeratore applicazioni installate*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{CFCCC7A0-A282-11D1-9082-006008059382} /*Darwin App Publisher*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{e84fda7c-1d6a-45f6-b725-cb260c236066} /*Shell Image Verbs*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} /*Shell Image Data Factory*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*GDI + programma di estrazione file in anteprima*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{9DBD2C50-62AD-11d0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{EAB841A0-9550-11cf-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} /*Shell Image Property Handler*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Pubblicazione guidata sul Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Ordinazione di stampe tramite Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Oggetto Pubblicazione guidata sul Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{58f1f272-9240-4f51-b6d4-fd63d1618591} /*Creazione guidata profilo Passport*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{7A9D77BD-5403-11d2-8785-2E0420524153} /*Account utente*/(null) =
@{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} /*Cartella compressa*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{BD472F60-27FA-11cf-B8B4-444553540000} /*Compressed (zipped) Folder Right Drag Handler*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} /*Compressed (zipped) Folder SendTo Target*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{f39a0dc0-9cc8-11d0-a599-00c04fd64433} /*File del canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} /*Collegamento al canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} /*Channel Handler Object*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3da0dc0-9cc8-11d0-a599-00c04fd64437} /*Channel Menu*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} /*Channel Properties*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{63da6ec0-2e98-11cf-8d82-444553540000} /*FTP Folders Webview*/C:\WINDOWS\System32\msieftp.dll = C:\WINDOWS\System32\msieftp.dll
@{883373C3-BF89-11D1-BE35-080036B11A03} /*Microsoft DocProp Shell Ext*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{A9CF0EAE-901A-4739-A481-E35B73E47F6D} /*Microsoft DocProp Inplace Edit Box Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{8EE97210-FD1F-4B19-91DA-67914005F020} /*Microsoft DocProp Inplace ML Edit Box Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} /*Microsoft DocProp Inplace Droplist Combo Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{6A205B57-2567-4A2C-B881-F787FAB579A3} /*Microsoft DocProp Inplace Calendar Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} /*Microsoft DocProp Inplace Time Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{8A23E65E-31C2-11d0-891C-00A024AB2DBB} /*Directory Query UI*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} /*Directory Object Find*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{F020E586-5264-11d1-A532-0000F8757D7E} /*Directory Start/Search Find*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{0D45D530-764B-11d0-A1CA-00AA00C16E65} /*Directory Property UI*/%SystemRoot%\System32\dsuiext.dll = %SystemRoot%\System32\dsuiext.dll
@{62AE1F9A-126A-11D0-A14B-0800361B1103} /*Directory Context Menu Verbs*/%SystemRoot%\System32\dsuiext.dll = %SystemRoot%\System32\dsuiext.dll
@{ECF03A33-103D-11d2-854D-006008059367} /*MyDocs Copy Hook*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{ECF03A32-103D-11d2-854D-006008059367} /*MyDocs Drop Target*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{4a7ded0a-ad25-11d0-98a8-0800361b1103} /*MyDocs Properties*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{750fdf0e-2a26-11d1-a3ea-080036587f03} /*Offline Files Menu*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{10CFC467-4392-11d2-8DB4-00C04FA31A66} /*Offline Files Folder Options*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} /*Cartella file non in linea*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{143A62C8-C33B-11D1-84FE-00C04FA34A14} /*Microsoft Agent Character Property Sheet Handler*/C:\WINDOWS\msagent\agentpsh.dll = C:\WINDOWS\msagent\agentpsh.dll
@{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} /*DfsShell*/C:\WINDOWS\System32\dfsshlex.dll = C:\WINDOWS\System32\dfsshlex.dll
@{60fd46de-f830-4894-a628-6fa81bc0190d} /*%DESC_PublishDropTarget%*/%SystemRoot%\System32\photowiz.dll = %SystemRoot%\System32\photowiz.dll
@{7A80E4A8-8005-11D2-BCF8-00C04F72C717} /*MMC Icon Handler*/%SystemRoot%\System32\mmcshext.dll = %SystemRoot%\System32\mmcshext.dll
@{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} /*.CAB file viewer*/cabview.dll = cabview.dll
@{32714800-2E5F-11d0-8B85-00AA0044F941} /*&Contatti...*/C:\Programmi\Outlook Express\wabfind.dll = C:\Programmi\Outlook Express\wabfind.dll
@{8DD448E6-C188-4aed-AF92-44956194EB1F} /*Windows Media Player Play as Playlist Context Menu Handler*/C:\WINDOWS\System32\wmpshell.dll = C:\WINDOWS\System32\wmpshell.dll
@{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} /*Windows Media Player Burn Audio CD Context Menu Handler*/C:\WINDOWS\System32\wmpshell.dll = C:\WINDOWS\System32\wmpshell.dll
@{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} /*Windows Media Player Add to Playlist Context Menu Handler*/C:\WINDOWS\System32\wmpshell.dll = C:\WINDOWS\System32\wmpshell.dll
@{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{1D2680C9-0E2A-469d-B787-065558BC7D43} /*Fusion Cache*/C:\WINDOWS\system32\mscoree.dll = C:\WINDOWS\system32\mscoree.dll
@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} /*FRISK extension*/C:\Programmi\FSI\F-Prot\shexthk.dll = C:\Programmi\FSI\F-Prot\shexthk.dll
@{E443A8D5-D905-4401-8789-16AE23A8A96D} /*FRISK extension*/C:\Programmi\FSI\F-Prot\shexthk.dll = C:\Programmi\FSI\F-Prot\shexthk.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{640167b4-59b0-47a6-b335-a6b3c0695aea} /*Portable Media Devices*/%SystemRoot%\System32\Audiodev.dll = %SystemRoot%\System32\Audiodev.dll
@{cc86590a-b60a-48e6-996b-41d25ed39a1e} /*Portable Media Devices Menu*/%SystemRoot%\System32\Audiodev.dll = %SystemRoot%\System32\Audiodev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} /*PhoneBrowser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\[email protected]{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ewido [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
Offline [email protected]{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Open [email protected]{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
Open With [email protected]{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\[email protected]{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} = %SystemRoot%\system32\SHELL32.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
[email protected]{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
ewido [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
[email protected]{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} = C:\Programmi\FSI\F-Prot\shexthk.dll
Offline [email protected]{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
[email protected]{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
@{9394EDE7-C8B5-483E-8773-474BF36AF6E4}C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll = C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar1.dll = c:\programmi\google\googletoolbar1.dll
@{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll = C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll

HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\ssstars.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft...p...&ar=msnhome
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.msn.it/ = http://www.msn.it/
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/[email protected] = C:\WINDOWS\System32\mscoree.dll
application/[email protected] = C:\WINDOWS\System32\mscoree.dll
application/[email protected] = C:\WINDOWS\System32\mscoree.dll
Class Install [email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
text/[email protected] = %SystemRoot%\system32\SHELL32.dll

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\System32\msvidctl.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = %SystemRoot%\System32\inetcomm.dll
[email protected] = C:\WINDOWS\system32\urlmon.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\System32\msvidctl.dll
[email protected] = %SystemRoot%\System32\mshtml.dll
[email protected] = C:\WINDOWS\System32\msdxm.ocx
[email protected] = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\[email protected] =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{346CE3E6-CEFF-487D-8062-41622532CFC9} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress90.0.0.100 = 90.0.0.100
@NameServer212.216.172.62,212.216.172.162 = 212.216.172.62,212.216.172.162
@DefaultGateway90.0.0.1 = 90.0.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
[email protected] = %SystemRoot%\System32\mswsock.dll
[email protected] = %SystemRoot%\System32\winrnr.dll
[email protected] = %SystemRoot%\System32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\rsvpsp.dll
[email protected] = %SystemRoot%\system32\rsvpsp.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll
[email protected] = %SystemRoot%\system32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\[email protected] = %SystemRoot%\system32\mswsock.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----

#37 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 06 September 2006 - 08:53 PM

All the icons on my desktop disappeared for two days

Does that mean you didn't try my last suggestions????

Let's get some questioned answered I asked that you don't seem to want to answer

I asked a couple times

Did you remove Sygate's firewall from add/remove programs?

Have you removed it or disabled it????
Let me know please

I asked

Did this happen After you did my last set of instructions?

These were my instructions

Copy ALL the text contained in blue below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard


Files to delete:
C:\:ntimaxp.gif
C:\Programmi\File comuni\System\BMb.exe
C:\Programmi\File comuni\System\CrW.exe
C:\Programmi\File comuni\System\slrT.exe
C:\WINDOWS\teifk1.dll
C:\WINDOWS\teifk1.upd

registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIts



Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer


Please keep me as informed as you can
Look over Everything I asked and post back please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#38 petsmartt

petsmartt

    Member

  • Members
  • PipPipPip
  • 88 posts

Posted 06 September 2006 - 11:05 PM

ohhh
To MSn me my MSN Messenger Is [email protected] change the 0 to a o
~~MMing~~
Trying to get my name out there and earning trust just ask me if you want me to MM for you

~~Bought~~
IM Trying to buy a 60 range pure so tell me if ull sell CB should be 40

~~Selling~~
Warrior PK 53 str-5def-40attack-43cb-For 30k--Working on it
MagePk with like 43 mage only 10k--Working on it

Posted Image
~~ not Trusted~~
They call me ownage

#39 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 07 September 2006 - 03:48 AM

Well...I couldn't answer to all your questions because I lost all the icons on my desktop,even Explorer!All this mess happened after I did the last things you told me to do with avenger.exe (those you repeat in your last reply).I'm so sorry,but I was really scared and the first thing I thought was right to do was restore the computer on a date in which he worked well...quite well.So I restored it on the 3rd of September 2006,for that I don't know if the last things(4 and 5 of September)you told me to do have still an effect on my PC.In any case,the things you told me yesterday are done!
About Sygate...is removed!
And yes...Everithing happened after your last set of instructions.
Sorry again,but I don't have always so much time to post you quick answers...But thank you,thank you so much for your precious work!

#40 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 September 2006 - 06:53 PM

This rootkit I haven't worked with yet, but we should get you clean

Navigate to this folder:

C:/documents and settings

You will see your accounts there, tell me if you notice a name that you don't recognize. Tell me that folder's
exact name if one is found you haven't seen before

Also
Download the Grozmon Removal Tool by Prevx.

Launch the program and click scan, when it locates the infection, it should tell you its going to reboot the machine and remove the infection.

Let the machine restart and wait for the tool to finish.

Locate the report the tool generates--> C:\armada_log.txt

EDIT>>You may want to try the Grozmon removal tool in Safe mode
Also, if you get a prompt to download the Prevx1 software after you run the fix, say NO at the prompt

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here