Trojan.vundo.vbs Again

Hallo gentlemen.


Well found to everibody: I am new and I come pushed from pains and necessity.


After 5 years of happy living with bit defender since two days I have lost the control of my system.


On the hands of the vundo.dvs trojan.


What happens is that after loading all programs, a bdd windows warns that the trojan has been found but the pc has not been infected.


Only that at this point all pc controls are hidden and the only thing I can do is close the bdd windows and reboot from a black screen.


I have tried the tools suggested on previous post but without success.


The file that bdd indicate is svvwa.ini in the root system32 but clearly it is in the registry the unarrived source of infection.


In the hope that somebody could give me a hint I post the file produced running Silent Runner as done from others members.


Thanks


------------------------------------------------------------------------------------


"Silent Runners.vbs", revision 56, http://www.silentrunners.org/


Operating System: Windows XP SP2


Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:


---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}


"BAR" = "E:\Programmi\birth reminder\BAR.exe /check" ["By, Vaibhav Kulkarni"]


"ctfmon.exe" = "E:\WINDOWS\system32\ctfmon.exe" [MS]


"Tray Pilot Lite" = ""E:\Programmi\Tray Pilot Lite\TrayPlt.exe"" ["Invention Pilot, Inc"]


"Skype" = ""E:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]


"HDDHealth" = "E:\Programmi\HDD Health\hddhealth.exe -wl" ["PANTERASoft"]


"Yahoo! Pager" = ""E:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]


"MsnMsgr" = ""E:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}


"ATIPTA" = "E:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]


"allChars" = "e:\programmi\allchars300\allchars.exe -q " ["Jeroen Laarhoven"]


"Acronis True Image Monitor" = ""E:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe"" ["Acronis"]


"Acronis Scheduler2 Service" = ""E:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]


"DeltTray" = "DeltTray.exe" ["Doug Fetter Software Wizardry"]


"dclean" = "e:\programmi\dclean141\dclean.exe -q" [empty string]


"PCLEPCI" = "E:\PROGRA~1\PINNAC~1\PPE\PPE.EXE" ["Pinnacle Systems GmbH"]


"BDMCon" = ""E:\Programmi\Softwin\BitDefender10\bdmcon.exe" /reg" ["SOFTWIN S.R.L."]


"TkBellExe" = ""E:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]


"SunJavaUpdateSched" = ""E:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]


"STICAP" = "E:\WINDOWS\Twain_32\NX VEGA 300\SnapTrap.exe" [empty string]


"Adobe Reader Speed Launcher" = ""E:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\


{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)


-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"


\InProcServer32\(Default) = "E:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]


{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)


-> {HKLM...CLSID} = "Supporto di collegamento per Adobe PDF Reader"


\InProcServer32\(Default) = "E:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = (no title provided)


-> {HKLM...CLSID} = "Skype add-on (mastermind)"


\InProcServer32\(Default) = "E:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]


{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)


-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"


\InProcServer32\(Default) = "E:\Programmi\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]


{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)


-> {HKLM...CLSID} = "SSVHelper Class"


\InProcServer32\(Default) = "E:\Programmi\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]


{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)


-> {HKLM...CLSID} = "Guida per l'accesso a Windows Live"


\InProcServer32\(Default) = "E:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]


{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)


-> {HKLM...CLSID} = "Google Toolbar Helper"


\InProcServer32\(Default) = "e:\programmi\google\googletoolbar1.dll" ["Google Inc."]


{ABE2CFE6-F988-4247-ACF5-EB107F0246FD}\(Default) = (no title provided)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "E:\WINDOWS\system32\awvvs.dll" [null data]


{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = (no title provided)


-> {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"


\InProcServer32\(Default) = "E:\Programmi\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]


{FBD29C3C-C642-4843-A627-6E54A947B511}\(Default) = (no title provided)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "E:\WINDOWS\system32\yayyawu.dll" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\


"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"


-> {HKLM...CLSID} = "HyperTerminal Icon Ext"


\InProcServer32\(Default) = "E:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]


"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"


-> {HKLM...CLSID} = "Microsoft Office Outlook"


\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]


"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"


-> {HKLM...CLSID} = "Estensione dell'icona del file di Outlook"


\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]


"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "E:\Programmi\Microsoft Office\OFFICE11\msohev.dll" [MS]


"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "E:\Programmi\WinRAR\rarext.dll" [null data]


"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Componente estensione della shell di CorelDRAW"


-> {HKLM...CLSID} = "Componente estensione della shell di CorelDRAW"


\InProcServer32\(Default) = "E:\Programmi\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll" [null data]


"{6F45BB01-537B-11D3-A2A6-444553540000}" = "FineCrypt"


-> {HKLM...CLSID} = "FineCrypt"


\InProcServer32\(Default) = "E:\Programmi\FineCrypt\fcshell.dll" ["Crypto Systems, Inc."]


"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"


-> {HKLM...CLSID} = "BDMenu Class"


\InProcServer32\(Default) = "E:\Programmi\Softwin\BitDefender10\bdshelxt.dll" [null data]


"{19F500E0-9964-11cf-B63D-08002B317C03}" = "Desktop Icon Layout"


-> {HKLM...CLSID} = "Desktop Icon Layout"


\InProcServer32\(Default) = "Layout.dll" ["Microsoft"]


"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"


-> {HKLM...CLSID} = "RealOne Player Context Menu Class"


\InProcServer32\(Default) = "E:\Programmi\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]


"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"


-> {HKLM...CLSID} = "UIContextMenu Class"


\InProcServer32\(Default) = "E:\Programmi\UltraISO\isoshell.dll" ["EZB Systems, Inc."]


"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"


-> {HKLM...CLSID} = "YMailShellExt Class"


\InProcServer32\(Default) = "E:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]


"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"


-> {HKLM...CLSID} = "Cartelle condivise"


\InProcServer32\(Default) = "E:\Programmi\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\


<<!>> "{FBD29C3C-C642-4843-A627-6E54A947B511}" = "*_" (unwritable string)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "E:\WINDOWS\system32\yayyawu.dll" [null data]


HKLM\SYSTEM\CurrentControlSet\Control\Lsa\


<<!>> "Authentication Packages" = "msv1_0"|"E:\WINDOWS\system32\awvvs.dll"


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\


<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


<<!>> yayyawu\DLLName = "yayyawu.dll" [null data]


HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\


<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "E:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\


{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"


-> {HKLM...CLSID} = "PDF Shell Extension"


\InProcServer32\(Default) = "E:\Programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\


Eraseex\(Default) = "{ECDF2E20-C829-11D1-8233-0030AF3E97A8}"


-> {HKLM...CLSID} = "Clean Disk Security Context Menu Extension"


\InProcServer32\(Default) = "E:\Programmi\Clean Disk Security\eraseex.dll" ["Kevin Solway"]


FineCrypt\(Default) = "{6F45BB01-537B-11D3-A2A6-444553540000}"


-> {HKLM...CLSID} = "FineCrypt"


\InProcServer32\(Default) = "E:\Programmi\FineCrypt\fcshell.dll" ["Crypto Systems, Inc."]


WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "E:\Programmi\WinRAR\rarext.dll" [null data]


Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"


-> {HKLM...CLSID} = "YMailShellExt Class"


\InProcServer32\(Default) = "E:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\


UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"


-> {HKLM...CLSID} = "UIContextMenu Class"


\InProcServer32\(Default) = "E:\Programmi\UltraISO\isoshell.dll" ["EZB Systems, Inc."]


WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "E:\Programmi\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\


BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"


-> {HKLM...CLSID} = "BDMenu Class"


\InProcServer32\(Default) = "E:\Programmi\Softwin\BitDefender10\bdshelxt.dll" [null data]


Eraseex\(Default) = "{ECDF2E20-C829-11D1-8233-0030AF3E97A8}"


-> {HKLM...CLSID} = "Clean Disk Security Context Menu Extension"


\InProcServer32\(Default) = "E:\Programmi\Clean Disk Security\eraseex.dll" ["Kevin Solway"]


FineCrypt\(Default) = "{6F45BB01-537B-11D3-A2A6-444553540000}"


-> {HKLM...CLSID} = "FineCrypt"


\InProcServer32\(Default) = "E:\Programmi\FineCrypt\fcshell.dll" ["Crypto Systems, Inc."]


IconLayout\(Default) = "{19F500E0-9964-11cf-B63D-08002B317C03}"


-> {HKLM...CLSID} = "Desktop Icon Layout"


\InProcServer32\(Default) = "Layout.dll" ["Microsoft"]


UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"


-> {HKLM...CLSID} = "UIContextMenu Class"


\InProcServer32\(Default) = "E:\Programmi\UltraISO\isoshell.dll" ["EZB Systems, Inc."]


WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "E:\Programmi\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:


-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoCDBurning" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoTrayItemsDisplay" = (REG_DWORD) dword:0x00000000


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Hide the notification area}


"HideClock" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoWindowsUpdate" = (REG_DWORD) dword:0x00000001


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Remove links and access to Windows Update}


"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoSaveSettings" = (REG_DWORD) dword:0x00000001


{User Configuration|Administrative Templates|Desktop|


Don't save settings at exit}


"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoFavoritesMenu" = (REG_DWORD) dword:0x00000001


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Remove Favorites menu from Start Menu}


"NoSMMyDocs" = (REG_DWORD) dword:0x00000001


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Remove Documents menu from Start Menu}


"NoSMMyPictures" = (REG_DWORD) dword:0x00000001


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Remove My Pictures icon from Start Menu}


"NoStartMenuMyMusic" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoRecentDocsHistory]" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoRecentDocsNetHood" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoFind" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoRun" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoUserNameInStartMenu" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoInstrumentation" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoStartMenuPinnedList" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"ForceStartMenuLogoff" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoSharedDocuments" = (REG_DWORD) dword:0x00000000


{User Configuration|Administrative Templates|Windows Components|Windows Explorer|


Remove Shared Documents from My Computer}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoResolveSearch" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoWindowsUpdate" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"ClassicShell" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoFavoritesMenu" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoSMMyDocs" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoSMMyPictures" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoStartMenuMyMusic" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoRecentDocsNetHood" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoFind" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoRun" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoInstrumentation" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoSimpleStartMenu" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"NoVisualStyleChoice" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\


"NoUpdateCheck" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001


{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|


Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001


{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|


Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:


-----------------------------


Active Desktop may be disabled at this entry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\


"Wallpaper" = "L:\d-store\planets\logoearth.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:


HKCU\Control Panel\Desktop\


"Wallpaper" = "L:\d-store\planets\logoearth.bmp"


Enabled Screen Saver:


---------------------


HKCU\Control Panel\Desktop\


"SCRNSAVE.EXE" = "E:\WINDOWS\System32\logon.scr" [MS]


Startup items in "ggiamber" & "All Users" startup folders:


----------------------------------------------------------


E:\Documents and Settings\ggiamber\Menu Avvio\Programmi\Accessori\Esecuzione automatica


"VOIP-10 SKY V1.0" -> shortcut to: "E:\Documents and Settings\ggiamber\Dati applicazioni\Microsoft\Installer\{4C9CAC9A-5CFF-4E7B-9D0E-8CEA20F63599}\_4d064db7.exe" [null data]


E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica


"Digisoft AntiDialer" -> shortcut to: "E:\Programmi\Digisoft AntiDialer\AntiDialer.exe" ["Digisoft"]


"EPSON SMART PANEL for Scanner" -> shortcut to: "E:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe /h" ["NewSoft"]


"PrintAndFax" -> shortcut to: "E:\Programmi\Fastweb\PrintAndFax\FaxMonitor.exe" ["Icona SpA"]


Enabled Scheduled Tasks:


------------------------


"zhqzic.job" -- insufficient permission to read this file!


Winsock2 Service Provider DLLs:


-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}


000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}


0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:


%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 32


%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:


------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\


"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"


-> {HKLM...CLSID} = "&Google"


\InProcServer32\(Default) = "e:\programmi\google\googletoolbar1.dll" ["Google Inc."]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\


"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"


-> {HKLM...CLSID} = "&Google"


\InProcServer32\(Default) = "e:\programmi\google\googletoolbar1.dll" ["Google Inc."]


HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\


"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)


-> {HKLM...CLSID} = "Yahoo! Toolbar"


\InProcServer32\(Default) = "E:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]


"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)


-> {HKLM...CLSID} = "&Google"


\InProcServer32\(Default) = "e:\programmi\google\googletoolbar1.dll" ["Google Inc."]


Explorer Bars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\


HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Ricerche"


Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]


InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKCU\Software\Microsoft\Internet Explorer\Extensions\


{072F3B8A-2DA2-40E2-B841-88899F240200}\


"ButtonText" = "Trashcan"


"MenuText" = "Show Trashcan"


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\


{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\


"MenuText" = "Sun Java Console"


"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"


-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"


\InProcServer32\(Default) = "E:\Programmi\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]


-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"


\InProcServer32\(Default) = "E:\Programmi\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]


{77BF5300-1474-4EC7-9980-D32B190E9B07}\


"ButtonText" = "Skype"


"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"


-> {HKLM...CLSID} = "Skype add-on (button)"


\InProcServer32\(Default) = "E:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\


"ButtonText" = "Ricerche"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\


"ButtonText" = "Messenger"


"MenuText" = "Windows Messenger"


"Exec" = "E:\Programmi\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points


------------------------------


E:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):


[strings]: START_PAGE_URL=http://www.fastweb.it


Missing lines (compared with English-language version):


[strings]: 1 line


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\


<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*f" (unwritable string)


-> {HKLM...CLSID} = "Yahoo! Toolbar"


\InProcServer32\(Default) = "E:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):


------------------------------------------------------------------


Acronis Scheduler2 Service, AcrSch2Svc, ""E:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe"" ["Acronis"]


ahfP Service, ahfprog, "E:\WINDOWS\system32\ahfp.exe" [null data]


Ati HotKey Poller, Ati HotKey Poller, "E:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]


BitDefender Communicator, XCOMM, ""E:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["SOFTWIN S.R.L"]


BitDefender Desktop Update Service, LIVESRV, ""E:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]


BitDefender Scan Server, bdss, ""E:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]


BitDefender Virus Shield, VSSERV, ""E:\Programmi\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]


Creative Service for CDROM Access, Creative Service for CDROM Access, "E:\WINDOWS\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]


Machine Debug Manager, MDM, ""E:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]


Print Monitors:


---------------


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\


CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]


EPSON V6 Monitor4SA\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]


Ice Monitor M\Driver = "BiMMonNT.dll" ["Black Ice Software"]


Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


PDF Port\Driver = "E:\WINDOWS\System32\pdfports.dll" ["Adobe Systems Incorporated."]


---------- (launch time: 2008-03-07 14:57:24)


<<!>>: Suspicious data at a malware launch point.


<<H>>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.


+ To see *everywhere* the ****** checks and *everything* it finds,


launch it from a command prompt or a shortcut with the -all parameter.


+ To search all directories of local fixed drives for DESKTOP.INI


DLL launch points, use the -supp parameter or answer "No" at the


first message box and "Yes" at the second message box.


---------- (total run time: 204 seconds, including 23 seconds for message boxes)

Comments