Home News Guide Hardware Download Forum Glossario

Condividi:        

Innominabile HJT

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Regole del forum
Rispondi al post

Innominabile HJT

Postdi maxilsub » 30/11/06 17:42

é da molti giorni che provo a fare un controllo del computer con HJT ma ogni volta che provo ad aprirlo si chiude la pagina :( , ho provato a riscaricarlo ma ugualmente come provo a cliccare sulla guida di HJT si chiude la pagina internet :evil: .
Ho provato ad aprire altri post ma tutte le cliccate sulla parola HJT mi fanno chiudere la pagina :aaah .

Potreste aiutarmi?

Grazie
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top
Sponsor
 

Postdi BilloKenobi » 30/11/06 19:56

scarica questo e facci un log... poi postalo

http://www.mytempdir.com/1044693
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi BilloKenobi » 30/11/06 20:00

emm, il file non è più accessibile... :lol:

ecco un altro url

http://www.mytempdir.com/1088004
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi maxilsub » 01/12/06 18:06

Systemscan - http://www.suspectfile.com

Date: 01/12/2006
Time: 17.36.35,39

Output limited to:
-Recent files
-Registry Run Keys
-Running Services
-Loaded Dlls
-Alternate Data Sreams
-Encrypted Files
-Hidden files

-------------Users folders -------------

Directory di C:\documents and settings

18/01/2006 16.47 <DIR> Administrator
28/04/2005 15.45 <DIR> All Users
28/04/2005 15.45 <DIR> Default User
22/08/2006 18.17 <DIR> LocalService
16/08/2006 15.16 <DIR> NetworkService
30/11/2006 16.46 <DIR> principale
05/07/2006 11.56 <DIR> sFz

-------------Recent files (60 days) -------------
NOTE: searched only in C:, C:\WINDOWS, C:\WINDOWS\system32, C:\Programmi\File comuni, C:\WINDOWS\temp



Directory di C:\


01/12/2006 16.56 <DIR> WINDOWS
01/12/2006 17.36 <DIR> suspectfile
01/12/2006 16.34 <DIR> Programmi


Directory di C:\WINDOWS


14/10/2006 11.58 <DIR> WinSxS
01/12/2006 17.28 <DIR> Temp
29/11/2006 19.41 <DIR> system32
28/11/2006 18.37 <DIR> SoftwareDistribution
29/11/2006 18.22 <DIR> AppPatch
29/11/2006 16.36 <DIR> Prefetch
16/11/2006 18.38 <DIR> Debug
16/11/2006 16.27 <DIR> msagent
29/11/2006 19.41 <DIR> Internet Logs
13/11/2006 16.57 4.132 ModemLog_SoftK56 Data Fax.txt
29/11/2006 18.21 32 pavsig.txt
13/10/2006 17.40 1.409 QTFont.for
01/12/2006 12.50 32.616 SchedLgU.Txt
25/11/2006 11.27 81.998 69.tmp
25/11/2006 11.27 84.127 63.tmp
21/11/2006 16.14 82.055 3.tmp
21/11/2006 16.14 84.127 2.tmp
01/12/2006 16.34 159 wiadebug.log
01/12/2006 16.34 50 wiaservc.log
28/11/2006 18.10 1.090 win.ini
01/12/2006 12.50 1.552.213 WindowsUpdate.log
01/12/2006 16.34 0 0.log
27/10/2006 11.24 754 WORDPAD.INI


Directory di C:\WINDOWS\system32


28/11/2006 18.40 <DIR> wbem
29/11/2006 18.22 <DIR> ActiveScan
21/11/2006 16.14 <DIR> LogFiles
28/11/2006 18.38 <DIR> drivers
28/11/2006 18.37 <DIR> config
28/11/2006 17.49 <DIR> CatRoot2
28/11/2006 18.10 0 asfiles.txt
29/11/2006 18.21 1.406 Help.ico
21/11/2006 16.27 274.432 imon.dll
11/11/2006 20.04 227 imon1.dat
08/11/2006 02.38 10.342.824 MRT.exe
13/10/2006 13.35 64.000 nwapi32.dll
13/10/2006 13.35 143.360 nwprovau.dll
13/10/2006 13.35 65.536 nwwks.dll
29/11/2006 18.21 30.590 pavas.ico
30/10/2006 16.28 39.992 perfc009.dat
30/10/2006 16.28 47.592 perfc010.dat
30/10/2006 16.28 311.604 perfh009.dat
30/10/2006 16.28 345.010 perfh010.dat
30/10/2006 16.28 751.592 PerfStringBackup.INI
29/11/2006 18.21 2.550 Uninstall.ico
01/12/2006 16.34 12.714 wpa.dbl
16/10/2006 11.40 121.344 xpsp3res.dll


Directory di C:\Programmi\File comuni


01/12/2006 16.34 <DIR> Services
29/11/2006 18.32 <DIR> Symantec Shared


Directory di C:\WINDOWS\temp


29/11/2006 19.25 0 exp2AB9.tmp
28/11/2006 18.36 0 exp682.tmp
15/11/2006 18.59 716 IHA.tmp
15/11/2006 18.59 715 IHB.tmp
15/11/2006 18.59 716 IHC.tmp
01/12/2006 16.49 255 WGAErrLog.txt
01/12/2006 16.34 409 WGANotify.settings



-------------HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows-------------

[Windows]
"AppInit_DLLs"="\\?\C:\WINDOWS\system32\lpt9.zxh"

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"Shell"="Explorer.exe"
"System"=""
"Userinit"="c:\windows\system32\userinit.exe,\"c:\windows\symantec-tool.exe\","
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"forceunlocklogon"=dword:00000000
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=expand:"logonui.exe"
"LogonType"=dword:00000001
"Background"="0 0 0"
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001

[Winlogon\GPExtensions]

[Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Senza fili"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"DllName"=expand:"fdeploy.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Quota disco Microsoft"
"DllName"=expand:"dskquota.dll"

[Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="Utilità di pianificazione pacchetti QoS"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Script"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Mapping aree Internet Explorer"
"DllName"=expand:"iedkcs32.dll"

[Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"

[Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"iedkcs32.dll"
@="Personalizzazione Internet Explorer"

[Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
@="EFS recovery"

[Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Installazione software"
"DllName"=expand:"appmgmts.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="Protezione IP"
"DllName"=expand:"gptext.dll"

[Winlogon\Notify]

[Winlogon\Notify\crypt32chain]
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[Winlogon\Notify\cryptnet]
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"StartShell"="WinlogonStartShellEvent"

[Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001

[Winlogon\Notify\Schedule]
"DllName"=expand:"wlnotify.dll"
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"DllName"=expand:"sclgntfy.dll"

[Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"

[Winlogon\Notify\termsrv]
"DllName"=expand:"wlnotify.dll"
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
"Event"=dword:00000000

[Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,08,d9,eb,67,10,8a,3e,4f,ad,76,8f,10,7c,d0,a9,c6,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,7f,f8,b0,13,c7,69,a8,da,\
31,b8,f4,49,5f,53,d3,84,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,f7,\
0c,6c,e0,95,38,ab,f6,c6,cc,3d,e2,2a,a0,76,13,b0,01,00,00,6c,1b,15,59,9e,0a,\
0e,e0,2c,ba,aa,78,b6,b4,90,5e,12,1a,fb,b8,de,a3,d4,53,71,2b,09,ec,ad,52,67,\
01,f8,75,54,30,32,c9,1b,f9,a7,ae,7b,f9,dc,13,bd,cb,f3,c4,35,41,e2,07,65,c1,\
fd,6c,87,54,d1,2d,da,9f,81,52,46,87,30,1b,be,81,6e,1c,1e,d2,be,ab,17,12,7b,\
e9,47,f1,45,0e,95,48,e9,7c,0d,54,62,70,c1,a6,bf,7f,f2,cf,9e,72,46,c9,ad,bc,\
b6,12,64,6f,18,10,b4,e5,29,9f,ed,dd,41,6a,da,95,2b,5a,9b,b3,ec,0c,14,10,10,\
1a,c5,b8,1d,8e,63,cc,e1,50,14,75,b5,b8,95,9f,f2,40,77,f3,30,bf,ce,cd,be,fd,\
1e,6d,c7,7a,76,3f,69,8e,42,2c,52,f7,91,e0,07,90,8e,fa,8b,dd,93,b4,39,6e,e7,\
f6,f4,c0,41,25,c3,4a,e0,9a,be,69,75,69,22,dc,54,f3,76,eb,b5,ef,2e,05,d7,f0,\
b6,a9,0f,ff,1c,86,47,39,be,70,f4,0a,d4,fc,ae,62,ac,a1,5e,91,38,59,cc,a5,5c,\
67,08,c6,a8,de,83,3d,04,9d,61,1e,86,4d,2d,c7,ca,90,67,7b,e4,84,ea,58,dd,7c,\
cb,79,a5,cf,42,57,b4,c1,56,fe,95,47,80,11,bb,4e,40,78,53,b0,a3,35,dd,77,c9,\
59,c8,30,e1,46,c2,c5,a2,39,d3,17,30,75,14,62,9c,5f,90,57,e0,ee,3f,d1,bf,44,\
94,e7,38,9a,24,62,1f,24,cd,10,ee,6a,0e,ad,78,d6,ab,62,b5,2c,f5,69,28,25,9f,\
58,07,52,c3,9e,58,38,f6,3c,bb,aa,1c,33,0c,e4,e7,84,65,9e,62,69,46,32,ff,e4,\
24,30,16,8b,ed,d8,c7,2a,ee,bc,4f,0b,02,e8,77,2b,1a,aa,71,ea,2d,51,c2,d1,d3,\
cc,9b,31,ba,f6,9e,86,39,5c,b2,6d,c9,84,ad,ba,af,e2,e0,2b,4e,b6,68,91,5d,3d,\
19,d4,92,3b,aa,11,e3,ac,c5,35,c4,82,f3,79,ee,d0,4a,1d,ad,24,cb,5e,f7,7d,5d,\
2c,14,00,00,00,8f,71,8c,ca,be,73,b1,38,8e,24,6f,af,44,af,f0,9c,cd,d2,f0,0b

[Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"

[Winlogon\SpecialAccounts]

[Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"sFz"=dword:00000000

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"ExcludeProfileDirs"="Impostazioni locali;Temporary Internet Files;Cronologia;Temp"
"BuildNumber"=dword:00000a28

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"SoundMan"="SOUNDMAN.EXE"
"SO5 Integrator Pass Two"="C:\WINDOWS\SOINTGR.EXE"
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe"
"ccApp"="\"C:\Programmi\File comuni\Symantec Shared\ccApp.exe\""
"QuickTime Task"="\"C:\Programmi\QuickTime\qttask.exe\" -atboottime"
"Easy-PrintToolBox"="C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon"
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer"
"nod32kui"="\"C:\Programmi\Eset\nod32kui.exe\" /WAITSERVICE"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

[RunOnce]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

[RunOnceEx]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

[Runonce]

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects-------------

[Browser Helper Objects]

[Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
#### HKCR\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32 @="C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"

[Browser Helper Objects\{0E20D0C1-8F6A-3854-73B0-B4EFBCBB7A60}]
#### HKCR\CLSID\{0E20D0C1-8F6A-3854-73B0-B4EFBCBB7A60}\InprocServer32 @="C:\WINDOWS\yblhq1.dll"
@=""

-------------HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks-------------

-------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-------------

[ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
#### HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InprocServer32 @="shell32.dll"

-------------HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List-------------

[List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe"="C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX"

-------------HKLM\SYSTEM\ControlSet001\Control\Lsa-------------

[Lsa]
"Authentication Packages"=multi:"msv1_0\00\00"
"Bounds"=hex:00,30,00,00,00,20,00,00
"LsaPid"=dword:0000033c
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=multi:"\00:\WINDOW\00scecli\00\00"

[Lsa\AccessProviders]
"ProviderOrder"=multi:"Windows NT Access Provider\00\00"

[Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll"

[Lsa\Audit]

[Lsa\Audit\PerUserAuditing]

[Lsa\Audit\PerUserAuditing\System]

[Lsa\Data]
@Class="caa93760"
"Pattern"=hex:69,50,cf,6d,dc,82,4f,f3,e4,95,b5,ed,3a,d4,17,8e,63,61,61,39,33,\
37,36,30,00,67,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
53,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,a1,50,76,64

[Lsa\GBG]
@Class="a18cfe2d"
"GrafBlumGroup"=hex:d0,5b,78,4e,82,18,1b,b2,f1

[Lsa\JD]
@Class="5b2864e0"
"Lookup"=hex:d9,fd,28,3e,75,ed

[Lsa\Kerberos]

[Lsa\Kerberos\Domains]

[Lsa\Kerberos\SidCache]

[Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[Lsa\Skew1]
@Class="765040b4"
"SkewMatrix"=hex:57,0b,47,46,85,f0,37,31,26,e8,8b,cf,dd,3e,f6,a4

[Lsa\SSO]

[Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[Lsa\SspiCache]
"Time"=hex:7c,2f,fa,9a,2d,ad,c4,01

[Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"RpcId"=dword:0000ffff
"Time"=hex:00,61,92,55,3d,86,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"RpcId"=dword:00000011
"Time"=hex:00,42,88,5b,3d,86,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"RpcId"=dword:00000012
"Time"=hex:80,d8,20,5c,3d,86,c4,01
"Type"=dword:00000031

-------------HKLM\SYSTEM\ControlSet001\Services\SharedAccess-------------

[SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000002
"ImagePath"=expand:"%SystemRoot%\System32\svchost.exe -k netsvcs"
"DisplayName"="Windows Firewall / Condivisione connessione Internet (ICS)"
"ObjectName"="LocalSystem"
"Description"="Fornisce servizi di conversione indirizzi di rete, indirizzamento e risoluzione nomi e/o servizi di prevenzione intrusione per una rete domestica o una piccola rete aziendale."

[SharedAccess\Epoch]
"Epoch"=dword:000009e9

[SharedAccess\Parameters]
"ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll"

[SharedAccess\Parameters\FirewallPolicy]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe"="C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"

[SharedAccess\Security]
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{9D59D87B-9505-4663-97CA-6BF099E19F54}"=dword:00000001
"{830950E6-9F7E-4A2F-B58F-D5876276CD0E}"=dword:00000001
"{CB782C52-6B4F-41DF-874B-0F2A1F04DE5E}"=dword:00000001
"{04B55052-C760-4D35-9BE1-05CE60F14CA8}"=dword:00000001

-------------HKLM\Software\Microsoft\Ole-------------

[Ole]
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00

[Ole\AppCompat]

[Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

-------------HKEY_CLASSES_ROOT\exefile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\comfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\batfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\piffile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\scrFile\shell\open\command-------------

@="\"%1\" /S"

-------------HKEY_CLASSES_ROOT\htafile\shell\open\command-------------

@="C:\WINDOWS\System32\mshta.exe \"%1\" %*"

-------------HKEY_CLASSES_ROOT\logfile\shell\open\command-------------

-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler-------------

[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
#### HKCR\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InprocServer32 @=expand:"%SystemRoot%\System32\browseui.dll"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"
#### HKCR\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InprocServer32 @=expand:"%SystemRoot%\System32\browseui.dll"

-------------HKLM\Software\Microsoft\Active Setup\Installed Components-------------

[Installed Components]

[Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"Stubpath"="C:\WINDOWS\inf\unregmp2.exe /ShowWMP"
@="Windows Media Player"
"ComponentID"="WMPACCESS"

[Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
@="Internet Explorer"
"ComponentID"="IEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE"

[Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
@="Personalizzazione del browser"
"ComponentID"="BRANDING.CAB"
"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"

[Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
@="Outlook Express"
"ComponentID"="OEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE"

[Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}]
#### HKCR\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}\InprocServer32 @="C:\Programmi\Viewpoint\Viewpoint Media Player\AxMetaStream.dll"
@="Viewpoint Media Player"
"ComponentID"="Viewpoint"

[Installed Components\{057997dd-71e4-43cc-b161-3f8180691a9e}]
@="Q824145"
"ComponentID"="Q824145"

[Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
@="Microsoft VM"
"ComponentID"="JAVAVM"
"KeyFileName"="C:\WINDOWS\System32\msjava.dll"

[Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
@="Rendering grafica vettoriale (VML)"
"ComponentID"="MSVML"

[Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}]
#### HKCR\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}\InprocServer32 @="C:\Programmi\Viewpoint\Viewpoint Media Player\AxMetaStream.dll"
@="Viewpoint Media Player"
"ComponentID"="Viewpoint"

[Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
#### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
@=""
"ComponentID"="NetShow"
"StubPath"=""

[Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="Windows Media Player"
"StubPath"=""
@="Microsoft Windows Media Player 6.4"

[Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}]
@="Q324929"
"ComponentID"="Q324929"

[Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
#### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="C:\WINDOWS\System32\danim.dll"
@="DirectAnimation"
"ComponentID"="DirectAnimation"

[Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="Themes Setup"
"ComponentID"="Theme Component"
"StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll"

[Installed Components\{2cc9d512-6db6-4f1c-8979-9a41fae88de0}]
@="Q837009"
"ComponentID"="Q837009"

[Installed Components\{2eac6a2d-57a8-44d4-96f7-e32bab40ca5f}]
@="Windows Update"
"ComponentID"="Windows XP Application Compatibility Update"

[Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
@="Binding dati Dynamic HTML per Java"
"ComponentID"="TridataJava"

[Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}]
@="Q822925"
"ComponentID"="Q822925"

[Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]
@="Modulo ricerca non in linea"
"ComponentID"="MobilePk"

[Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
@="Uniscribe"
"ComponentID"="USP10"

[Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}]
@="KB834707"
"ComponentID"="KB834707"

[Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]
@="Creazione avanzata"
"ComponentID"="AdvAuth"

[Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft Outlook Express 6"
"ComponentID"="MailNews"
"CloneUser"=dword:00000001
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"

[Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
@="NetMeeting 3.01"
"ComponentID"="NetMeeting"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT"

[Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
@="DirectShow"
"ComponentID"="activemovie"

[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
@="DirectDrawEx"
"ComponentID"="DirectDrawEx"

[Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
@="Guida di Internet Explorer"
"ComponentID"="HelpCont"

[Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
@="Classi Java DirectAnimation"
"ComponentID"="DAJava"

[Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
@="Microsoft Windows Script 5.6"
"ComponentID"="MSVBScript"

[Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
"ComponentID"="Messenger"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser"
@="Windows Messenger 4.7"
"KeyFileName"="C:\Programmi\Messenger\msmsgs.exe"

[Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
"(Default)"="Internet Connection Wizard"
"ComponentID"="ICW"

[Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
@="Strumenti di installazione di Internet Explorer"
"ComponentID"="GenSetup"

[Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
@="Miglioramenti sfoglia"
"ComponentID"="ExtraPack"
"KeyFileName"="C:\WINDOWS\System32\msieftp.dll"

[Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
#### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="C:\WINDOWS\system32\wmp.dll"
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub"

[Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
@="Accesso sito MSN"
"ComponentID"="MSN_Auth"

[Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
@="Rubrica 6"
"ComponentID"="WAB"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
@="Windows Desktop Update"
"ComponentID"="IE4Shell_NT"
"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
@="Internet Explorer 6"
"ComponentID"="BASEIE40_W2K"
"StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix]

[Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
@="Binding dati Dynamic HTML"
"ComponentID"="Tridata"

[Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}]
@="Q828750"
"ComponentID"="Q828750"

[Installed Components\{C34F4917-ED43-439f-9023-97B0024A2B3B}]
@="Q810847"
"ComponentID"="Q810847"

[Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]
@="Font principali di Internet Explorer"
"ComponentID"="Fontcore"

[Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
@="Utilità di pianificazione"
"ComponentID"="MSTASK"

[Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
"ComponentID"="Windows Movie Maker v2.1"

[Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@="Adobe Flash Player 9 ActiveX"
"ComponentID"="Flash"

[Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
@="Guida HTML"
"ComponentID"="HTMLHelp"

[Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]
@="Active Directory Service Interface"
"ComponentID"="ADSI"

[Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}]
@="Q832894"
"ComponentID"="Q832894"

[Installed Components\{F5776D81-AE53-4935-8E84-B0B283D8BCEF}]
@="Q330994"
"ComponentID"="Q330994"

[Installed Components\{f5de1b93-9d38-416b-b09e-aa85a8e84309}]
@="Q818529"
"ComponentID"="Q818529"

[Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}]
@="Q813489"
"ComponentID"="Q813489"

-------------Comparing registry keys CCS1 vs CCS2 -------------
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services

Result compared: Identical


-------------Comparing registry keys CCS1 vs CCS3 -------------
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} REG_BINARY 0F000000000000000000000000000000314F7045F9000000000000000000000000000000314F704501000000000000000000000000000000314F70452B000000000000000000000000000000314F70452C000000000000000000000000000000314F704506000000000000000000000000000000314F7045
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Dhcp\Parameters {D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} REG_BINARY 0F00000000000000000000000000000041FB6E45F900000000000000000000000000000041FB6E450100000000000000000000000000000041FB6E452B00000000000000000000000000000041FB6E452C00000000000000000000000000000041FB6E450600000000000000000000000000000041FB6E45
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Spooler
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\HTTP\Parameters\Synchronize
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\mssmbios\Data
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\NetBT\Parameters\Interfaces\Tcpip_{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NetbiosOptions REG_DWORD 2 (0x2)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 2537 (0x9E9)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\SharedAccess\Epoch Epoch REG_DWORD 2520 (0x9D8)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NTEContextList REG_MULTI_SZ 0x00000003\0\0
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NTEContextList REG_MULTI_SZ \0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpIPAddress REG_SZ 83.187.206.159
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpIPAddress REG_SZ 0.0.0.0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpSubnetMask REG_SZ 255.255.255.255
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpSubnetMask REG_SZ 0.0.0.0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NameServer REG_SZ 193.12.150.2 212.247.152.2
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NameServer REG_SZ
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\WebDrk

Result compared: Different


-------------List of running services -------------
Unable to enumerate available services on Windows system. (Get query)

SYSTEM SAYS: Sono disponibili altri dati.



..:: BOOT REGISTRY ::..

0) "SoundMan"
---> TYPE = String
---> CMD = SOUNDMAN.EXE
---> FILE = ˆ>’|SOUNDMAN.EXE

1) "SO5 Integrator Pass Two"
---> TYPE = String
---> CMD = C:\WINDOWS\SOINTGR.EXE
---> FILE = C:\WINDOWS\sointgr.exe

2) "GSICONEXE"
---> TYPE = String
---> CMD = GSICON.EXE
---> FILE = C:\WINDOWS\GSICON.EXE

3) "DSLAGENTEXE"
---> TYPE = String
---> CMD = dslagent.exe USB
---> FILE = C:\WINDOWS\dslagent.exe USB

4) "PinnacleDriverCheck"
---> TYPE = String
---> CMD = C:\WINDOWS\System32\PSDrvCheck.exe
---> FILE = C:\WINDOWS\System32\PSDrvCheck.exe

5) "ccApp"
---> TYPE = String
---> CMD = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
---> FILE = C:\Programmi\File comuni\Symantec Shared\CCAPP.EXE

6) "QuickTime Task"
---> TYPE = String
---> CMD = "C:\Programmi\QuickTime\qttask.exe" -atboottime
---> FILE = (NOT EXISTS)

7) "Easy-PrintToolBox"
---> TYPE = String
---> CMD = C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
---> FILE = C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

8) "Symantec NetDriver Monitor"
---> TYPE = String
---> CMD = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
---> FILE = C:\PROGRA~1\SYMNET~1\SNDMon.exe

9) "nod32kui"
---> TYPE = String
---> CMD = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
---> FILE = (NOT EXISTS)



-------------loaded Dlls -------------
NOTE: already known legit dlls are not shown


You do not have the DEBUG privilege, which is required to run this program

-------------NTFS ADS -------------



Error opening C:\hiberfil.sys:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\pagefile.sys:
Impossibile accedere al file. Il file è utilizzato da un altro processo.


...
Error opening C:\Documents and Settings\LocalService\NTUSER.DAT:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\LocalService\ntuser.dat.LOG:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\NetworkService\NTUSER.DAT:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\NetworkService\ntuser.dat.LOG:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\principale\ntuser.dat:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\principale\ntuser.dat.LOG:
Impossibile accedere al file. Il file è utilizzato da un altro processo.





C:\Documents and Settings\principale\Desktop\SCUBAPRO Dealer News Nova Light.pdf:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\Fabio Ciocci\listini_tusa_2006.xls:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\Fabio Ciocci\listino_ikelite_2006.doc:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\Fabio Ciocci\listino_spareair_2006.xls:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\Fabio Ciocci\listino_strumentI_2006.doc:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\Fabio Ciocci\listino_tabata_nuoto.xls:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\Fabio Ciocci\listino_waterproof_2006.xls:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\Fabio Ciocci\list[1][1].torce_ikelite_2006.xls:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\foto tecnoreef\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\100_0001.jpg:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\100_0003.jpg:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\100_0007.jpg:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\100_0013.jpg:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\Copia di 100_0001.jpg:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\Difese antierosione, antistrascico e ripopolamento ittico (CNR ISMAR)3.pdf:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\FRONTESPIZIO MINISTERO.pdf:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\IMG_0033.jpg:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\offerta reefconsulting per Max Sub.doc:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\PA270070.JPG:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Desktop\progetto Tecnoreef\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\SetupPlanning.exe:
:Zone.Identifier:$DATA 26

C:\Documents and Settings\principale\Documenti\Thumbs.db:
:encryptable:$DATA 0
.
C:\Documents and Settings\principale\Documenti\602Documents\Binders\Pictures\Arrows\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\602Documents\Binders\Pictures\Globes\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\602Documents\Binders\Pictures\Letters\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\602Documents\Photo Album\Images\PICTURES\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Articoli\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\ARUBA\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\comunic. dalle riviste\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\locandina1.jpg:
:Zone.Identifier:$DATA 26
.
C:\Documents and Settings\principale\Documenti\Immagini\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\2003_08_15\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\2003_08_16\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\2003_08_22\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\2003_08_23\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\2003_08_24\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Athen Work shop\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Athena work shop 2005\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\capodanno Trieste\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\cena nascosa club\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\compl.Francesco-Livorno rec\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\compleanno Anna 2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Corso Genoni 01-08-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Corso Genoni 30-07-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Corso Genoni 31-07-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\corso istruttori marsa alam 20-27 giugno 2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\eudi show\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\fiera\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\foce verde 24-07-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\foto\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\foto casa\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Foto Giancarlo\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\furto max sub\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\genoni 02-10-04\Thumbs.db:
:encryptable:$DATA 0
.
C:\Documents and Settings\principale\Documenti\Immagini\Genoni 2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\giglio emanuele\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\imm.SFC quadro-p.rossa giugno 2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Immagine\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\immersione 14 settembre 2003 punta rossa\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\immersione a ponza 16-05-2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\immersione a torre fico 16-07-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\immersione al circeo 22-05-2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\immersione alla mattonata 18-07-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\immersione21 settembre 2003\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\ir\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\lavori a casa\il nostro nido\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\lavori a casa\il nostro nido\impianto elettrico casa- modifica bagni\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\lavori a casa\il nostro nido\impianto elettrico condizionatori- inizio rifiniture\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\lavori a casa\il nostro nido\pasquetta 2004- impianto idraulico casa\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\leonardo\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\mar rosso 21-28 nov 2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\miste\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\natale\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Natale 2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\natale 2005 pancioni maira e m.assuta\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\negozio 17-11-05\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\nevicata marzo 2005\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\p.rossa 17-08-04\Thumbs.db:
:encryptable:$DATA 0



C:\Documents and Settings\principale\Documenti\Immagini\Pancia Laura\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\ponza 11-08-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\ponza 22-07-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\ponza 29-08-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\posta fibreno 23-10-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\sperone 28-08-04\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\SUB NASCOSA\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\trieste 04-05-06 nov. 2005\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Ustica\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\ventotene 05-06 giugno 2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Immagini\Viaggio di Nozze a Cuba dal 14-02-05 al 01-03-05\Thumbs.db:
:encryptable:$DATA 0
.
C:\Documents and Settings\principale\Documenti\Listini e preventivi\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Max\Thumbs.db:
:encryptable:$DATA 0
.
C:\Documents and Settings\principale\Documenti\max sub 08 sett.2004\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Messaggi da e per DITTE\Thumbs.db:
:encryptable:$DATA 0
.
C:\Documents and Settings\principale\Documenti\Pinnacle Expression\Menu Backgrounds\Thumbs.db:
:encryptable:$DATA 0

C:\Documents and Settings\principale\Documenti\Video\Thumbs.db:
:encryptable:$DATA 0

Error opening C:\Documents and Settings\principale\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temp\~DF14E1.tmp:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temp\~DF5FC8.tmp:
Impossibile accedere al file. Il file è utilizzato da un altro processo.



C:\Documents and Settings\principale\Impostazioni locali\Temp\Directory temporanea 1 per Allegato_3_Dichiarazione_di_intenti_per_la_costituzione_in_ATI_LT(1)[1].zip\Allegato_3_Dichiarazione_di_intenti_per_la_costituzione_in_ATI_LT.doc:
:Zone.Identifier:$DATA 0

Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\4TKV47WZ\search[1].:
Impossibile trovare il file specificato.



C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\892ZK9YJ\AGGIORNAMENTO ANAGRAFICA.doc:
:Zone.Identifier:$DATA 26

Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\8NFZYG5H\search[1].:
Impossibile trovare il file specificato.



C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\B5ZUPI14\systemscan[1].exe:
:Zone.Identifier:$DATA 26

Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\EFQREX2F\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\ETSVQDQ5\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\EXJ89WJ6\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\GJTBU6BP\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\HR77T1OE\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\HZAEG1WU\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\MPROTO3U\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\OL6301EZ\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\TBBVX50E\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\U19UBAL0\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\WH2VG16N\search[1].:
Impossibile trovare il file specificato.



Error opening C:\Documents and Settings\principale\Impostazioni locali\Temporary Internet Files\Content.IE5\ZEWBVHKT\search[1].:
Impossibile trovare il file specificato.




...

...

...


Error opening C:\Programmi\File comuni\Services\AqW.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\aVUg.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\BbQ.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\BdV.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\bmJhP.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\bPX.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\bRl.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\BwaNR.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\bybZ.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\CcW.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\cfd.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\CmB.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\cpk.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\cwwHG.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\CWz.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\cxtUn.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\dHW.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\DiFBgk.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\ekGZR.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\EPx.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\eqe.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\fdIia.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\fqKWnU.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\FQzlal.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\FSkh.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\GBdlcY.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\GBMI.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\GfD.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\ghk.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\giB.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\GQb.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\HDY.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\hgACma.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\HHNpv.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\HZL.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\IgK.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\iHXo.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\iYD.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\Jfc.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\JhI.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\JPw.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\JqaSdY.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\jRG.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\kBmU.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\keL.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\kJv.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\KLLeyt.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\lCQ.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\LvFsb.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\mJG.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\MRm.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\mYsq.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\NGF.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\nHD.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\NikM.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\Nqm.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\NsN.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\nSuK.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\oUG.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\ouM.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\OvrL.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\OYh.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\POhEC.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\Pvf.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\pwrIk.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\qcPC.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\QEJFya.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\qmtLV.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\QnA.exe:
Accesso negato.



Error opening C:\Programmi\File comuni\Services\QnppX.exe:
Accesso negato.
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi BilloKenobi » 01/12/06 21:33

scarica questo paccone e decomprimilo... poi vai in modalità provvisoria e esegui il tool symantec

http://www.mytempdir.com/1082740

poi posta sul forum il log che rilascia in C:\FixLinkOpt
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi maxilsub » 02/12/06 12:48

Ho provato a fare come dici ma quando momento in cui clicco start il programma parte e poi si ferma, ho provato più volte ma ogni volta succede la stessa cosa e se provo a chiuderlo mi appare la scitta (non risponde) sulla striscia azzurra della finestra. Per chiudere il tutto devo utilizzare lo spegnimento manuale.
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi BilloKenobi » 02/12/06 13:18

l'hai avviato dalla modalità provvisoria? (per accedervi devi premere ripetutamente F8 all'avvio del pc prima che compaia il simbolo della microsoft, poi comparirà un semplice menù dove selezionare con le freccetete la modalità provvisoria e poi premere invio)

se non funziona lo stesso, prova con quello della prevx (è quello dal nome alfanumerico).. il tool prevx rilascia il log in C:\gromozon_removal.log. dobbiamo sbloccare l'uso di avenger (sempre incluso nel file .zip) per eliminare la totalità dell'infezione...

altrimenti (se nemmeno questo funziona) installa VirIt (è sempre incluso nel file zip) e fallo girare in provvisoria. se non funziona, nel file .zip ci sono le istruzioni per sbloccarlo... ;)
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi maxilsub » 05/12/06 18:04

Ti posto il log di prevx.


Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: \\?\C:\WINDOWS\system32\lpt9.zxh
\\?\C:\WINDOWS\system32\lpt9.zxh
Resetting file permissions...
Clearing attributes...
Accesso negato - C:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\Services\AqW.exe
Removing protected file: C:\Programmi\File comuni\Services\aVUg.exe
Removing protected file: C:\Programmi\File comuni\Services\BbQ.exe
Removing protected file: C:\Programmi\File comuni\Services\BdV.exe
Removing protected file: C:\Programmi\File comuni\Services\bmJhP.exe
Removing protected file: C:\Programmi\File comuni\Services\bPX.exe
Removing protected file: C:\Programmi\File comuni\Services\bRl.exe
Removing protected file: C:\Programmi\File comuni\Services\BwaNR.exe
Removing protected file: C:\Programmi\File comuni\Services\bybZ.exe
Removing protected file: C:\Programmi\File comuni\Services\CcW.exe
Removing protected file: C:\Programmi\File comuni\Services\cfd.exe
Removing protected file: C:\Programmi\File comuni\Services\CmB.exe
Removing protected file: C:\Programmi\File comuni\Services\cpk.exe
Removing protected file: C:\Programmi\File comuni\Services\cwwHG.exe
Removing protected file: C:\Programmi\File comuni\Services\CWz.exe
Removing protected file: C:\Programmi\File comuni\Services\cxtUn.exe
Removing protected file: C:\Programmi\File comuni\Services\dHW.exe
Removing protected file: C:\Programmi\File comuni\Services\DiFBgk.exe
Removing protected file: C:\Programmi\File comuni\Services\ekGZR.exe
Removing protected file: C:\Programmi\File comuni\Services\EPx.exe
Removing protected file: C:\Programmi\File comuni\Services\eqe.exe
Removing protected file: C:\Programmi\File comuni\Services\fdIia.exe
Removing protected file: C:\Programmi\File comuni\Services\fqKWnU.exe
Removing protected file: C:\Programmi\File comuni\Services\FQzlal.exe
Removing protected file: C:\Programmi\File comuni\Services\FSkh.exe
Removing protected file: C:\Programmi\File comuni\Services\GBdlcY.exe
Removing protected file: C:\Programmi\File comuni\Services\GBMI.exe
Removing protected file: C:\Programmi\File comuni\Services\GfD.exe
Removing protected file: C:\Programmi\File comuni\Services\ghk.exe
Removing protected file: C:\Programmi\File comuni\Services\giB.exe
Removing protected file: C:\Programmi\File comuni\Services\GQb.exe
Removing protected file: C:\Programmi\File comuni\Services\HDY.exe
Removing protected file: C:\Programmi\File comuni\Services\hgACma.exe
Removing protected file: C:\Programmi\File comuni\Services\HHNpv.exe
Removing protected file: C:\Programmi\File comuni\Services\HZL.exe
Removing protected file: C:\Programmi\File comuni\Services\IgK.exe
Removing protected file: C:\Programmi\File comuni\Services\iHXo.exe
Removing protected file: C:\Programmi\File comuni\Services\iYD.exe
Removing protected file: C:\Programmi\File comuni\Services\Jfc.exe
Removing protected file: C:\Programmi\File comuni\Services\JhI.exe
Removing protected file: C:\Programmi\File comuni\Services\JPw.exe
Removing protected file: C:\Programmi\File comuni\Services\JqaSdY.exe
Removing protected file: C:\Programmi\File comuni\Services\jRG.exe
Removing protected file: C:\Programmi\File comuni\Services\kBmU.exe
Removing protected file: C:\Programmi\File comuni\Services\keL.exe
Removing protected file: C:\Programmi\File comuni\Services\kJv.exe
Removing protected file: C:\Programmi\File comuni\Services\KLLeyt.exe
Removing protected file: C:\Programmi\File comuni\Services\lCQ.exe
Removing protected file: C:\Programmi\File comuni\Services\LvFsb.exe
Removing protected file: C:\Programmi\File comuni\Services\mJG.exe
Removing protected file: C:\Programmi\File comuni\Services\MRm.exe
Removing protected file: C:\Programmi\File comuni\Services\mYsq.exe
Removing protected file: C:\Programmi\File comuni\Services\NGF.exe
Removing protected file: C:\Programmi\File comuni\Services\nHD.exe
Removing protected file: C:\Programmi\File comuni\Services\NikM.exe
Removing protected file: C:\Programmi\File comuni\Services\Nqm.exe
Removing protected file: C:\Programmi\File comuni\Services\Nqv.exe
Removing protected file: C:\Programmi\File comuni\Services\NsN.exe
Removing protected file: C:\Programmi\File comuni\Services\nSuK.exe
Removing protected file: C:\Programmi\File comuni\Services\oUG.exe
Removing protected file: C:\Programmi\File comuni\Services\ouM.exe
Removing protected file: C:\Programmi\File comuni\Services\OvrL.exe
Removing protected file: C:\Programmi\File comuni\Services\OYh.exe
Removing protected file: C:\Programmi\File comuni\Services\POhEC.exe
Removing protected file: C:\Programmi\File comuni\Services\Pvf.exe
Removing protected file: C:\Programmi\File comuni\Services\pwrIk.exe
Removing protected file: C:\Programmi\File comuni\Services\qcPC.exe
Removing protected file: C:\Programmi\File comuni\Services\QEJFya.exe
Removing protected file: C:\Programmi\File comuni\Services\qmtLV.exe
Removing protected file: C:\Programmi\File comuni\Services\QnA.exe
Removing protected file: C:\Programmi\File comuni\Services\QnppX.exe
Removing protected file: C:\Programmi\File comuni\Services\QqaEg.exe
Removing protected file: C:\Programmi\File comuni\Services\qvv.exe
Removing protected file: C:\Programmi\File comuni\Services\RBtv.exe
Removing protected file: C:\Programmi\File comuni\Services\rDYh.exe
Removing protected file: C:\Programmi\File comuni\Services\RTA.exe
Removing protected file: C:\Programmi\File comuni\Services\RTh.exe
Removing protected file: C:\Programmi\File comuni\Services\rxrEUj.exe
Removing protected file: C:\Programmi\File comuni\Services\SFx.exe
Removing protected file: C:\Programmi\File comuni\Services\sQV.exe
Removing protected file: C:\Programmi\File comuni\Services\SsZ.exe
Removing protected file: C:\Programmi\File comuni\Services\Swk.exe
Removing protected file: C:\Programmi\File comuni\Services\Swq.exe
Removing protected file: C:\Programmi\File comuni\Services\Syy.exe
Removing protected file: C:\Programmi\File comuni\Services\SZwCMt.exe
Removing protected file: C:\Programmi\File comuni\Services\tLO.exe
Removing protected file: C:\Programmi\File comuni\Services\TWm.exe
Removing protected file: C:\Programmi\File comuni\Services\UFXcS.exe
Removing protected file: C:\Programmi\File comuni\Services\UHI.exe
Removing protected file: C:\Programmi\File comuni\Services\ulS.exe
Removing protected file: C:\Programmi\File comuni\Services\uMy.exe
Removing protected file: C:\Programmi\File comuni\Services\URM.exe
Removing protected file: C:\Programmi\File comuni\Services\UUcio.exe
Removing protected file: C:\Programmi\File comuni\Services\UXXkv.exe
Removing protected file: C:\Programmi\File comuni\Services\VEf.exe
Removing protected file: C:\Programmi\File comuni\Services\vGqkEK.exe
Removing protected file: C:\Programmi\File comuni\Services\vPbaO.exe
Removing protected file: C:\Programmi\File comuni\Services\WmkO.exe
Removing protected file: C:\Programmi\File comuni\Services\wSS.exe
Removing protected file: C:\Programmi\File comuni\Services\XdouY.exe
Removing protected file: C:\Programmi\File comuni\Services\xIT.exe
Removing protected file: C:\Programmi\File comuni\Services\YeA.exe
Removing protected file: C:\Programmi\File comuni\Services\YJlEJW.exe
Removing protected file: C:\Programmi\File comuni\Services\ypA.exe
Removing protected file: C:\Programmi\File comuni\Services\YWR.exe
Removing protected file: C:\Programmi\File comuni\Services\YYf.exe
Removing protected file: C:\Programmi\File comuni\Services\Zcv.exe
Removing protected file: C:\Programmi\File comuni\Services\ZIQ.exe
Removing protected file: C:\Programmi\File comuni\Services\zMH.exe
Removing protected file: C:\Programmi\File comuni\Services\ZmvveP.exe
Removing protected file: C:\Programmi\File comuni\Services\ZoOuw.exe
Removing protected file: C:\Programmi\File comuni\Services\ZSI.exe
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\2.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\63.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\yblhq1.dll
Removed!


Trojan.Gromozon Removed!
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi maxilsub » 05/12/06 18:36

Dopo aver usato Prevx ho provato ariutilizzare il tool Symatec e si è attivato analizzando il pc.
Ho provato a riaprire la pagina della guida di HJT ma si e chiusa.
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi maxilsub » 05/12/06 18:43

Dopo aver usato pevrx ho provato ad utilizzare il tool Symatec e si è avviato, l'analisi non ha dato nessun risultato.
Ho Provato a riaprire HJT nelle guide ma la paginasi è richiusa.
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi Luke57 » 05/12/06 19:06

Ciao, scarica Avgpfix da qui:
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP
e tienilo da parte.

Poi, apri il registro di sistema
da START\ESEGUI digita regedit>OK

Aperto l’editor del registro, cliccando sul segno + accanto alle singole voci segui adesso questo percorso:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon, click su quest’ultima cartella
Sulla parte destra dovresti trovare
UserInit= REG c:\windows\system32\userinit.exe,\"c:\windows\symantec-tool.exe\",
doppio click sulla voce,
nella finestra Modifica stringa che ti appare
nello spazio bianco troverai:
c:\windows\system32\userinit.exe, c:\windows\symantec-tool.exe,
seleziona
c:\windows\symantec-tool.exe, (virgola compresa)
in modo da lasciare nello spazio solamente:
c:\windows\system32\userinit.exe, (virgola compresa)
premi canc>OK
(ATTENZIONE a non cancellare userinit.exe, il computer non si riavvierà).

Chiudi il registro.

Rendi visibili file e cartelle nascosti:
da risorse del computer>strumenti>Opzioni Cartella
Seleziona Visualizza
Spunta "mostra file e cartelle nascoste"
Togli la spunta da "nascondi file di sistema protetti"
Click OK

Con AVgpfix, elimina il seguenti file:
c:\windows\symantec-tool.exe
Prova a questo punto a utilizzare hiajckthis e posta il log.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10
Top

Postdi maxilsub » 07/12/06 17:24

finalmente ce l'ho fatta e ti posto il log di HJT:
Logfile of HijackThis v1.99.1
Scan saved at 17.17.34, on 07/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\PRINCI~1\IMPOST~1\Temp\Directory temporanea 1 per hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxsub.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aruba.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\symantec-tool.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0E20D0C1-8F6A-3854-73B0-B4EFBCBB7A60} - C:\WINDOWS\yblhq1.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: LG SyncManager.lnk = C:\Documents and Settings\principale\Desktop\Collegamenti desktop inutilizzati\LGSyncManager.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aruba.it
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSIns ... p?LANG=ita
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7161669765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E}: NameServer = 193.12.150.2 212.247.152.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebDrk - Unknown owner - C:\Programmi\File comuni\Services\pBxw.exe (file missing)
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi BilloKenobi » 08/12/06 08:31

scarica questo

http://www.mytempdir.com/1088004

premi scan e poi posta il log qui
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi maxilsub » 09/12/06 11:05

Systemscan - http://www.suspectfile.com

Date: 09/12/2006
Time: 10.34.49,39

Output limited to:
-Recent files
-Registry Run Keys
-Running Services
-Loaded Dlls
-Alternate Data Sreams
-Encrypted Files
-Hidden files

-------------Users folders -------------

Directory di C:\documents and settings

18/01/2006 16.47 <DIR> Administrator
02/12/2006 10.28 <DIR> Administrator.MAXNEGOZIO
28/04/2005 15.45 <DIR> All Users
28/04/2005 15.45 <DIR> Default User
22/08/2006 18.17 <DIR> LocalService
16/08/2006 15.16 <DIR> NetworkService
07/12/2006 17.11 <DIR> principale

-------------Recent files (60 days) -------------
NOTE: searched only in C:, C:\WINDOWS, C:\WINDOWS\system32, C:\Programmi\File comuni, C:\WINDOWS\temp



Directory di C:\


07/12/2006 17.12 <DIR> WINDOWS
09/12/2006 10.34 <DIR> suspectfile
02/12/2006 10.28 <DIR> Documents and Settings
09/12/2006 09.31 <DIR> Programmi
05/12/2006 17.43 8.451 gromozon_removal.log


Directory di C:\WINDOWS


14/10/2006 11.58 <DIR> WinSxS
09/12/2006 09.50 <DIR> Temp
09/12/2006 10.24 <DIR> system32
28/11/2006 18.37 <DIR> SoftwareDistribution
29/11/2006 18.22 <DIR> AppPatch
07/12/2006 17.17 <DIR> Prefetch
16/11/2006 18.38 <DIR> Debug
16/11/2006 16.27 <DIR> msagent
29/11/2006 19.41 <DIR> Internet Logs
13/11/2006 16.57 4.132 ModemLog_SoftK56 Data Fax.txt
29/11/2006 18.21 32 pavsig.txt
13/10/2006 17.40 1.409 QTFont.for
07/12/2006 19.33 32.616 SchedLgU.Txt
25/11/2006 11.27 81.998 69.tmp
21/11/2006 16.14 82.055 3.tmp
09/12/2006 09.30 159 wiadebug.log
09/12/2006 09.30 50 wiaservc.log
28/11/2006 18.10 1.090 win.ini
07/12/2006 19.33 1.640.586 WindowsUpdate.log
09/12/2006 09.30 0 0.log
27/10/2006 11.24 754 WORDPAD.INI


Directory di C:\WINDOWS\system32


28/11/2006 18.40 <DIR> wbem
29/11/2006 18.22 <DIR> ActiveScan
21/11/2006 16.14 <DIR> LogFiles
05/12/2006 17.35 <DIR> drivers
28/11/2006 18.37 <DIR> config
02/12/2006 17.36 <DIR> CatRoot2
28/11/2006 18.10 0 asfiles.txt
29/11/2006 18.21 1.406 Help.ico
21/11/2006 16.27 274.432 imon.dll
05/12/2006 14.12 227 imon1.dat
08/11/2006 02.38 10.342.824 MRT.exe
13/10/2006 13.35 64.000 nwapi32.dll
13/10/2006 13.35 143.360 nwprovau.dll
13/10/2006 13.35 65.536 nwwks.dll
29/11/2006 18.21 30.590 pavas.ico
30/10/2006 16.28 39.992 perfc009.dat
30/10/2006 16.28 47.592 perfc010.dat
30/10/2006 16.28 311.604 perfh009.dat
30/10/2006 16.28 345.010 perfh010.dat
30/10/2006 16.28 751.592 PerfStringBackup.INI
29/11/2006 18.21 2.550 Uninstall.ico
09/12/2006 09.31 12.714 wpa.dbl
16/10/2006 11.40 121.344 xpsp3res.dll


Directory di C:\Programmi\File comuni


05/12/2006 17.36 <DIR> Services
29/11/2006 18.32 <DIR> Symantec Shared


Directory di C:\WINDOWS\temp


09/12/2006 10.21 255 WGAErrLog.txt
09/12/2006 09.32 409 WGANotify.settings
07/12/2006 10.41 0 exp1A.tmp



-------------HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------

-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows-------------

[Windows]

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"Shell"="Explorer.exe"
"System"=""
"Userinit"="c:\windows\system32\userinit.exe,\"c:\windows\symantec-tool.exe\","
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"forceunlocklogon"=dword:00000000
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=expand:"logonui.exe"
"LogonType"=dword:00000001
"Background"="0 0 0"
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001

[Winlogon\GPExtensions]

[Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Senza fili"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"DllName"=expand:"fdeploy.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Quota disco Microsoft"
"DllName"=expand:"dskquota.dll"

[Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="Utilità di pianificazione pacchetti QoS"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Script"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"

[Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Mapping aree Internet Explorer"
"DllName"=expand:"iedkcs32.dll"

[Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"

[Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"iedkcs32.dll"
@="Personalizzazione Internet Explorer"

[Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
@="EFS recovery"

[Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Installazione software"
"DllName"=expand:"appmgmts.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="Protezione IP"
"DllName"=expand:"gptext.dll"

[Winlogon\Notify]

[Winlogon\Notify\crypt32chain]
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[Winlogon\Notify\cryptnet]
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"StartShell"="WinlogonStartShellEvent"

[Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001

[Winlogon\Notify\Schedule]
"DllName"=expand:"wlnotify.dll"
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"DllName"=expand:"sclgntfy.dll"

[Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"

[Winlogon\Notify\termsrv]
"DllName"=expand:"wlnotify.dll"
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
"Event"=dword:00000000

[Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,08,d9,eb,67,10,8a,3e,4f,ad,76,8f,10,7c,d0,a9,c6,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,bd,45,fb,c5,71,68,ba,91,\
4e,ae,5e,86,e7,43,11,f3,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,4f,\
d1,ca,65,4c,7d,9b,5c,5b,6d,de,b3,08,21,f3,82,b0,01,00,00,31,ff,61,b1,29,c8,\
8e,65,59,71,10,fa,91,3e,15,1a,ca,52,02,1e,86,fe,aa,85,4c,4b,9a,95,51,42,60,\
4e,be,65,02,34,96,d3,e7,15,bd,a6,07,1d,9d,47,88,b8,a0,0f,7a,d2,52,6f,e0,7c,\
7a,46,59,85,fb,23,6e,d4,41,2c,e4,32,a5,d1,ec,1f,de,04,fd,cc,30,68,35,44,f5,\
97,7b,ee,90,36,68,83,c2,8d,ad,98,14,23,40,4a,15,cb,23,cf,c2,d7,9d,33,f9,d2,\
5b,41,f9,36,b5,c0,f0,0d,98,be,65,59,49,6b,24,bd,32,d5,25,73,f9,c7,e3,af,91,\
f0,14,2c,46,c2,77,45,50,b6,14,e8,7b,14,da,48,dc,8f,59,5e,6f,3e,62,a6,e6,81,\
8e,7f,70,82,cb,f2,20,5d,04,11,9d,e4,78,31,f1,9a,4d,05,12,83,0e,46,e6,dc,78,\
38,b7,12,bb,11,41,62,2e,34,e7,f9,61,81,9f,75,a4,48,75,5a,a7,de,22,0a,0b,e8,\
e4,98,aa,4a,48,38,cb,91,bc,ff,72,ae,4e,29,22,20,8e,02,41,67,50,92,24,3a,cf,\
58,a0,74,0c,35,7a,ef,f4,1d,e8,d6,1d,01,f5,f4,f9,f0,31,05,85,6c,5d,8d,05,d8,\
ae,06,1f,dc,45,21,7f,6f,fd,d6,4b,f1,7d,87,8d,da,ef,f6,48,cd,bd,5d,50,32,e4,\
bd,5c,a1,76,7c,23,ad,5f,7c,42,e9,4a,c6,ff,39,60,91,d7,d9,b0,49,4c,5c,84,02,\
3d,90,7f,be,fd,bb,15,41,c9,8f,91,25,3f,c8,9b,89,3b,88,61,0c,d3,e5,de,eb,74,\
b9,76,3d,06,24,67,25,24,63,01,90,43,81,64,8b,1c,d4,58,63,60,2c,cb,07,53,e7,\
a5,2f,5d,8d,ea,f3,b5,95,35,22,f8,28,39,c6,f2,3b,bf,19,75,7a,2b,56,d1,3d,7a,\
b5,6a,36,dd,d8,34,c5,b3,94,ba,21,b8,b7,0d,ea,b1,ea,e0,d5,2f,b3,ed,f8,1e,98,\
14,55,c3,1f,3b,4a,90,1e,be,32,7a,9d,b8,64,9f,d5,ca,fa,a3,4d,ee,e7,8f,ab,70,\
9f,14,00,00,00,82,4b,08,bd,49,1c,b3,9c,d4,32,c1,7a,d3,2b,8f,93,e7,02,92,8c

[Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"

[Winlogon\SpecialAccounts]

[Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"sFz"=dword:00000000

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------

[Winlogon]
"ExcludeProfileDirs"="Impostazioni locali;Temporary Internet Files;Cronologia;Temp"
"BuildNumber"=dword:00000a28

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]
"SoundMan"="SOUNDMAN.EXE"
"SO5 Integrator Pass Two"="C:\WINDOWS\SOINTGR.EXE"
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe"
"ccApp"="\"C:\Programmi\File comuni\Symantec Shared\ccApp.exe\""
"QuickTime Task"="\"C:\Programmi\QuickTime\qttask.exe\" -atboottime"
"Easy-PrintToolBox"="C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon"
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer"
"nod32kui"="\"C:\Programmi\Eset\nod32kui.exe\" /WAITSERVICE"

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

[RunOnce]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

[RunOnceEx]

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run-------------

[Run]

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------

[Runonce]

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices-------------

-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------

-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run-------------

-------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects-------------

[Browser Helper Objects]

[Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
#### HKCR\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32 @="C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"

[Browser Helper Objects\{0E20D0C1-8F6A-3854-73B0-B4EFBCBB7A60}]
#### HKCR\CLSID\{0E20D0C1-8F6A-3854-73B0-B4EFBCBB7A60}\InprocServer32 @="C:\WINDOWS\yblhq1.dll"
@=""

-------------HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks-------------

-------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-------------

[ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
#### HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InprocServer32 @="shell32.dll"

-------------HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List-------------

[List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe"="C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX"

-------------HKLM\SYSTEM\ControlSet001\Control\Lsa-------------

[Lsa]
"Authentication Packages"=multi:"msv1_0\00\00"
"Bounds"=hex:00,30,00,00,00,20,00,00
"LsaPid"=dword:00000334
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=multi:"\00:\WINDOW\00scecli\00\00"

[Lsa\AccessProviders]
"ProviderOrder"=multi:"Windows NT Access Provider\00\00"

[Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll"

[Lsa\Audit]

[Lsa\Audit\PerUserAuditing]

[Lsa\Audit\PerUserAuditing\System]

[Lsa\Data]
@Class="caa93760"
"Pattern"=hex:69,50,cf,6d,dc,82,4f,f3,e4,95,b5,ed,3a,d4,17,8e,63,61,61,39,33,\
37,36,30,00,67,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
53,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,a1,50,76,64

[Lsa\GBG]
@Class="a18cfe2d"
"GrafBlumGroup"=hex:d0,5b,78,4e,82,18,1b,b2,f1

[Lsa\JD]
@Class="5b2864e0"
"Lookup"=hex:d9,fd,28,3e,75,ed

[Lsa\Kerberos]

[Lsa\Kerberos\Domains]

[Lsa\Kerberos\SidCache]

[Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[Lsa\Skew1]
@Class="765040b4"
"SkewMatrix"=hex:57,0b,47,46,85,f0,37,31,26,e8,8b,cf,dd,3e,f6,a4

[Lsa\SSO]

[Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[Lsa\SspiCache]
"Time"=hex:7c,2f,fa,9a,2d,ad,c4,01

[Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"RpcId"=dword:0000ffff
"Time"=hex:00,61,92,55,3d,86,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"RpcId"=dword:00000011
"Time"=hex:00,42,88,5b,3d,86,c4,01
"Type"=dword:00000031

[Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"RpcId"=dword:00000012
"Time"=hex:80,d8,20,5c,3d,86,c4,01
"Type"=dword:00000031

-------------HKLM\SYSTEM\ControlSet001\Services\SharedAccess-------------

[SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000002
"ImagePath"=expand:"%SystemRoot%\System32\svchost.exe -k netsvcs"
"DisplayName"="Windows Firewall / Condivisione connessione Internet (ICS)"
"ObjectName"="LocalSystem"
"Description"="Fornisce servizi di conversione indirizzi di rete, indirizzamento e risoluzione nomi e/o servizi di prevenzione intrusione per una rete domestica o una piccola rete aziendale."

[SharedAccess\Epoch]
"Epoch"=dword:00000a9d

[SharedAccess\Parameters]
"ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll"

[SharedAccess\Parameters\FirewallPolicy]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe"="C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"

[SharedAccess\Security]
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{9D59D87B-9505-4663-97CA-6BF099E19F54}"=dword:00000001
"{830950E6-9F7E-4A2F-B58F-D5876276CD0E}"=dword:00000001
"{CB782C52-6B4F-41DF-874B-0F2A1F04DE5E}"=dword:00000001
"{04B55052-C760-4D35-9BE1-05CE60F14CA8}"=dword:00000001

-------------HKLM\Software\Microsoft\Ole-------------

[Ole]
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00

[Ole\AppCompat]

[Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

-------------HKEY_CLASSES_ROOT\exefile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\comfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\batfile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\piffile\shell\open\command-------------

@="\"%1\" %*"

-------------HKEY_CLASSES_ROOT\scrFile\shell\open\command-------------

@="\"%1\" /S"

-------------HKEY_CLASSES_ROOT\htafile\shell\open\command-------------

@="C:\WINDOWS\System32\mshta.exe \"%1\" %*"

-------------HKEY_CLASSES_ROOT\logfile\shell\open\command-------------

-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler-------------

[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
#### HKCR\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InprocServer32 @=expand:"%SystemRoot%\System32\browseui.dll"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"
#### HKCR\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InprocServer32 @=expand:"%SystemRoot%\System32\browseui.dll"

-------------HKLM\Software\Microsoft\Active Setup\Installed Components-------------

[Installed Components]

[Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"Stubpath"="C:\WINDOWS\inf\unregmp2.exe /ShowWMP"
@="Windows Media Player"
"ComponentID"="WMPACCESS"

[Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
@="Internet Explorer"
"ComponentID"="IEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE"

[Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
@="Personalizzazione del browser"
"ComponentID"="BRANDING.CAB"
"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"

[Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
@="Outlook Express"
"ComponentID"="OEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE"

[Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}]
#### HKCR\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}\InprocServer32 @="C:\Programmi\Viewpoint\Viewpoint Media Player\AxMetaStream.dll"
@="Viewpoint Media Player"
"ComponentID"="Viewpoint"

[Installed Components\{057997dd-71e4-43cc-b161-3f8180691a9e}]
@="Q824145"
"ComponentID"="Q824145"

[Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
@="Microsoft VM"
"ComponentID"="JAVAVM"
"KeyFileName"="C:\WINDOWS\System32\msjava.dll"

[Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
@="Rendering grafica vettoriale (VML)"
"ComponentID"="MSVML"

[Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}]
#### HKCR\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}\InprocServer32 @="C:\Programmi\Viewpoint\Viewpoint Media Player\AxMetaStream.dll"
@="Viewpoint Media Player"
"ComponentID"="Viewpoint"

[Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
#### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
@=""
"ComponentID"="NetShow"
"StubPath"=""

[Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="Windows Media Player"
"StubPath"=""
@="Microsoft Windows Media Player 6.4"

[Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}]
@="Q324929"
"ComponentID"="Q324929"

[Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
#### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="C:\WINDOWS\System32\danim.dll"
@="DirectAnimation"
"ComponentID"="DirectAnimation"

[Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="Themes Setup"
"ComponentID"="Theme Component"
"StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll"

[Installed Components\{2cc9d512-6db6-4f1c-8979-9a41fae88de0}]
@="Q837009"
"ComponentID"="Q837009"

[Installed Components\{2eac6a2d-57a8-44d4-96f7-e32bab40ca5f}]
@="Windows Update"
"ComponentID"="Windows XP Application Compatibility Update"

[Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
@="Binding dati Dynamic HTML per Java"
"ComponentID"="TridataJava"

[Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}]
@="Q822925"
"ComponentID"="Q822925"

[Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]
@="Modulo ricerca non in linea"
"ComponentID"="MobilePk"

[Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
@="Uniscribe"
"ComponentID"="USP10"

[Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}]
@="KB834707"
"ComponentID"="KB834707"

[Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]
@="Creazione avanzata"
"ComponentID"="AdvAuth"

[Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft Outlook Express 6"
"ComponentID"="MailNews"
"CloneUser"=dword:00000001
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"

[Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
@="NetMeeting 3.01"
"ComponentID"="NetMeeting"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT"

[Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
@="DirectShow"
"ComponentID"="activemovie"

[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
@="DirectDrawEx"
"ComponentID"="DirectDrawEx"

[Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
@="Guida di Internet Explorer"
"ComponentID"="HelpCont"

[Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
@="Classi Java DirectAnimation"
"ComponentID"="DAJava"

[Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
@="Microsoft Windows Script 5.6"
"ComponentID"="MSVBScript"

[Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
"ComponentID"="Messenger"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser"
@="Windows Messenger 4.7"
"KeyFileName"="C:\Programmi\Messenger\msmsgs.exe"

[Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
"(Default)"="Internet Connection Wizard"
"ComponentID"="ICW"

[Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
@="Strumenti di installazione di Internet Explorer"
"ComponentID"="GenSetup"

[Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
@="Miglioramenti sfoglia"
"ComponentID"="ExtraPack"
"KeyFileName"="C:\WINDOWS\System32\msieftp.dll"

[Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
#### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="C:\WINDOWS\system32\wmp.dll"
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub"

[Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
@="Accesso sito MSN"
"ComponentID"="MSN_Auth"

[Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
@="Rubrica 6"
"ComponentID"="WAB"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
@="Windows Desktop Update"
"ComponentID"="IE4Shell_NT"
"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
@="Internet Explorer 6"
"ComponentID"="BASEIE40_W2K"
"StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix]

[Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
@="Binding dati Dynamic HTML"
"ComponentID"="Tridata"

[Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}]
@="Q828750"
"ComponentID"="Q828750"

[Installed Components\{C34F4917-ED43-439f-9023-97B0024A2B3B}]
@="Q810847"
"ComponentID"="Q810847"

[Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]
@="Font principali di Internet Explorer"
"ComponentID"="Fontcore"

[Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
@="Utilità di pianificazione"
"ComponentID"="MSTASK"

[Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
"ComponentID"="Windows Movie Maker v2.1"

[Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@="Adobe Flash Player 9 ActiveX"
"ComponentID"="Flash"

[Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
@="Guida HTML"
"ComponentID"="HTMLHelp"

[Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]
@="Active Directory Service Interface"
"ComponentID"="ADSI"

[Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}]
@="Q832894"
"ComponentID"="Q832894"

[Installed Components\{F5776D81-AE53-4935-8E84-B0B283D8BCEF}]
@="Q330994"
"ComponentID"="Q330994"

[Installed Components\{f5de1b93-9d38-416b-b09e-aa85a8e84309}]
@="Q818529"
"ComponentID"="Q818529"

[Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}]
@="Q813489"
"ComponentID"="Q813489"

-------------Comparing registry keys CCS1 vs CCS2 -------------
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services

Result compared: Identical


-------------Comparing registry keys CCS1 vs CCS3 -------------
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} REG_BINARY 0F000000000000000000000000000000DA747A45F9000000000000000000000000000000DA747A4501000000000000000000000000000000DA747A452B000000000000000000000000000000DA747A452C000000000000000000000000000000DA747A4506000000000000000000000000000000DA747A45
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Dhcp\Parameters {D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} REG_BINARY 0F000000000000000000000000000000B03D7845F9000000000000000000000000000000B03D784501000000000000000000000000000000B03D78452B000000000000000000000000000000B03D78452C000000000000000000000000000000B03D784506000000000000000000000000000000B03D7845
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Spooler
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\HTTP\Parameters\Synchronize
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\mssmbios\Data
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\NetBT\Parameters\Interfaces\Tcpip_{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NetbiosOptions REG_DWORD 2 (0x2)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 2717 (0xA9D)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\SharedAccess\Epoch Epoch REG_DWORD 2713 (0xA99)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NTEContextList REG_MULTI_SZ 0x00000003\0\0
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NTEContextList REG_MULTI_SZ \0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpIPAddress REG_SZ 83.181.229.242
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpIPAddress REG_SZ 0.0.0.0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpSubnetMask REG_SZ 255.255.255.255
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} DhcpSubnetMask REG_SZ 0.0.0.0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NameServer REG_SZ 193.12.150.2 212.247.152.2
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Tcpip\Parameters\Interfaces\{D4A48BBA-CE88-4BFC-B7CF-FC8DF57B125E} NameServer REG_SZ
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\WebDrk\Security

Result compared: Different


-------------List of running services -------------
Unable to enumerate available services on Windows system. (Get query)

SYSTEM SAYS: Sono disponibili altri dati.



..:: BOOT REGISTRY ::..

0) "SoundMan"
---> TYPE = String
---> CMD = SOUNDMAN.EXE
---> FILE = SOUNDMAN.EXE

1) "SO5 Integrator Pass Two"
---> TYPE = String
---> CMD = C:\WINDOWS\SOINTGR.EXE
---> FILE = C:\WINDOWS\sointgr.exe

2) "GSICONEXE"
---> TYPE = String
---> CMD = GSICON.EXE
---> FILE = C:\WINDOWS\GSICON.EXE

3) "DSLAGENTEXE"
---> TYPE = String
---> CMD = dslagent.exe USB
---> FILE = C:\WINDOWS\dslagent.exe USB

4) "PinnacleDriverCheck"
---> TYPE = String
---> CMD = C:\WINDOWS\System32\PSDrvCheck.exe
---> FILE = C:\WINDOWS\System32\PSDrvCheck.exe

5) "ccApp"
---> TYPE = String
---> CMD = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
---> FILE = C:\Programmi\File comuni\Symantec Shared\CCAPP.EXE

6) "QuickTime Task"
---> TYPE = String
---> CMD = "C:\Programmi\QuickTime\qttask.exe" -atboottime
---> FILE = (NOT EXISTS)

7) "Easy-PrintToolBox"
---> TYPE = String
---> CMD = C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
---> FILE = C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

8) "Symantec NetDriver Monitor"
---> TYPE = String
---> CMD = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
---> FILE = C:\PROGRA~1\SYMNET~1\SNDMon.exe

9) "nod32kui"
---> TYPE = String
---> CMD = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
---> FILE = (NOT EXISTS)



-------------loaded Dlls -------------
NOTE: already known legit dlls are not shown



------------------------------------------------------------------------------
System pid: 4
Command line: <no command line>

------------------------------------------------------------------------------
smss.exe pid: 452
Command line: \SystemRoot\System32\smss.exe

Base Size Version Path
0x48580000 0xf000 \SystemRoot\System32\smss.exe

------------------------------------------------------------------------------
csrss.exe pid: 740
Command line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Base Size Version Path
0x4a680000 0x5000 \??\C:\WINDOWS\system32\csrss.exe
0x75af0000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\CSRSRV.dll
0x75b00000 0x10000 5.01.2600.2180 C:\WINDOWS\system32\basesrv.dll
0x75b10000 0x4a000 5.01.2600.2751 C:\WINDOWS\system32\winsrv.dll

------------------------------------------------------------------------------
winlogon.exe pid: 764
Command line: winlogon.exe

Base Size Version Path
0x01000000 0x80000 \??\C:\WINDOWS\system32\winlogon.exe
0x77690000 0x11000 5.01.2600.2622 C:\WINDOWS\system32\AUTHZ.dll
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x01210000 0xae000 1.05.0540.0000 C:\WINDOWS\system32\WgaLogon.dll
0x76e50000 0x12000 5.01.2600.2180 C:\WINDOWS\system32\rasman.dll
0x76e70000 0x2f000 5.01.2600.2180 C:\WINDOWS\system32\TAPI32.dll
0x76ae0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL

------------------------------------------------------------------------------
services.exe pid: 808
Command line: C:\WINDOWS\system32\services.exe

Base Size Version Path
0x01000000 0x1c000 5.01.2600.2180 C:\WINDOWS\system32\services.exe
0x77b40000 0x53000 5.01.2600.2180 C:\WINDOWS\system32\SCESRV.dll
0x77690000 0x11000 5.01.2600.2622 C:\WINDOWS\system32\AUTHZ.dll
0x7dbb0000 0x21000 5.01.2600.2744 C:\WINDOWS\system32\umpnpmgr.dll
0x5fbb0000 0xc000 5.01.2600.2180 C:\WINDOWS\system32\NCObjAPI.DLL
0x76030000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x772d0000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\eventlog.dll

------------------------------------------------------------------------------
lsass.exe pid: 820
Command line: C:\WINDOWS\system32\lsass.exe

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\lsass.exe
0x753e0000 0xb5000 5.01.2600.2976 C:\WINDOWS\system32\LSASRV.dll
0x76760000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll
0x76ee0000 0x27000 5.01.2600.2938 C:\WINDOWS\system32\DNSAPI.dll
0x743d0000 0x6e000 5.01.2600.2180 C:\WINDOWS\system32\SAMSRV.dll
0x76750000 0xc000 5.01.2600.2180 C:\WINDOWS\system32\cryptdll.dll
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x20000000 0xe000 5.01.2600.2180 C:\WINDOWS\system32\msprivs.dll
0x71c80000 0x4b000 5.01.2600.2698 C:\WINDOWS\system32\kerberos.dll
0x74440000 0x65000 5.01.2600.2180 C:\WINDOWS\system32\netlogon.dll
0x76780000 0x2d000 5.01.2600.2180 C:\WINDOWS\system32\w32time.dll
0x76030000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll
0x767b0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\schannel.dll
0x74300000 0xf000 5.01.2600.2180 C:\WINDOWS\system32\wdigest.dll
0x74390000 0x30000 5.01.2600.2180 C:\WINDOWS\system32\scecli.dll
0x74360000 0x30000 5.01.2600.2180 C:\WINDOWS\system32\ipsecsvc.dll
0x77690000 0x11000 5.01.2600.2622 C:\WINDOWS\system32\AUTHZ.dll
0x756d0000 0xce000 5.01.2600.2180 C:\WINDOWS\system32\oakley.DLL
0x742f0000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\WINIPSEC.DLL
0x20b00000 0x46000 2.51.0030.0000 C:\WINDOWS\system32\imon.dll
0x20c00000 0xc000 C:\Programmi\Eset\pr_imon.dll
0x719d0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x66750000 0x58000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x71a10000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x68100000 0x24000 5.01.2600.2133 C:\WINDOWS\system32\dssenh.dll
0x74320000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\pstorsvc.dll
0x74340000 0x1b000 5.01.2600.2180 C:\WINDOWS\system32\psbase.dll

------------------------------------------------------------------------------
svchost.exe pid: 964
Command line: C:\WINDOWS\system32\svchost -k DcomLaunch

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x76a40000 0x63000 5.01.2600.2726 c:\windows\system32\rpcss.dll
0x766c0000 0x54000 5.01.2600.2180 c:\windows\system32\termsrv.dll
0x74f00000 0x6000 5.01.2600.2180 c:\windows\system32\ICAAPI.dll
0x77690000 0x11000 5.01.2600.2622 c:\windows\system32\AUTHZ.dll
0x750a0000 0x1f000 5.01.2600.2180 c:\windows\system32\mstlsapi.dll
0x76ae0000 0x11000 3.05.2284.0000 c:\windows\system32\ATL.DLL

------------------------------------------------------------------------------
svchost.exe pid: 1024
Command line: C:\WINDOWS\system32\svchost -k rpcss

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x76a40000 0x63000 5.01.2600.2726 c:\windows\system32\rpcss.dll
0x719d0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x20b00000 0x46000 2.51.0030.0000 C:\WINDOWS\system32\imon.dll
0x20c00000 0xc000 C:\Programmi\Eset\pr_imon.dll
0x66750000 0x58000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x71a10000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x76ee0000 0x27000 5.01.2600.2938 C:\WINDOWS\system32\DNSAPI.dll
0x76f70000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\winrnr.dll
0x76f80000 0x6000 5.01.2600.2938 C:\WINDOWS\system32\rasadhlp.dll

------------------------------------------------------------------------------
svchost.exe pid: 1072
Command line: C:\WINDOWS\System32\svchost.exe -k netsvcs

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\svchost.exe
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x76d40000 0x1e000 5.01.2600.2912 c:\windows\system32\dhcpcsvc.dll
0x76ee0000 0x27000 5.01.2600.2938 c:\windows\system32\DNSAPI.dll
0x775f0000 0x6e000 5.01.2600.2180 c:\windows\system32\wzcsvc.dll
0x76cf0000 0x4000 5.01.2600.2180 c:\windows\system32\WMI.dll
0x5e270000 0x10f000 5.01.2600.2780 c:\windows\system32\ESENT.dll
0x76ae0000 0x11000 3.05.2284.0000 c:\windows\system32\ATL.DLL
0x663e0000 0xc000 5.01.2600.2180 c:\windows\system32\irmon.dll
0x719d0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x66750000 0x58000 5.01.2600.2180 C:\WINDOWS\System32\hnetcfg.dll
0x59100000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\wshirda.dll
0x76b90000 0x1f000 5.01.2600.2180 C:\WINDOWS\System32\rastls.dll
0x76890000 0x83000 5.131.2600.2180 C:\WINDOWS\system32\CRYPTUI.dll
0x76e50000 0x12000 5.01.2600.2180 C:\WINDOWS\System32\rasman.dll
0x76e70000 0x2f000 5.01.2600.2180 C:\WINDOWS\System32\TAPI32.dll
0x767b0000 0x27000 5.01.2600.2180 C:\WINDOWS\System32\SCHANNEL.dll
0x76ca0000 0x14000 5.01.2600.2180 C:\WINDOWS\System32\raschap.dll
0x76840000 0x33000 5.01.2600.2180 c:\windows\system32\schedsvc.dll
0x76760000 0x13000 5.01.2600.2180 c:\windows\system32\NTDSAPI.dll
0x74ee0000 0x5000 6.00.2900.2180 C:\WINDOWS\System32\MSIDLE.DLL
0x70de0000 0xd000 5.01.2600.2180 c:\windows\system32\audiosrv.dll
0x76e00000 0x23000 5.01.2600.2976 c:\windows\system32\wkssvc.dll
0x76cd0000 0x12000 5.01.2600.2180 c:\windows\system32\cryptsvc.dll
0x76b30000 0x32000 5.01.2600.2180 c:\windows\system32\certcli.dll
0x776e0000 0x41000 2001.12.4414.0308 c:\windows\system32\es.dll
0x74f20000 0x9000 2600.2180.0503.0000 c:\windows\system32\dmserver.dll
0x74ed0000 0xc000 5.01.2600.2180 c:\windows\pchealth\helpctr\binaries\pchsvc.dll
0x75020000 0x1a000 5.01.2600.2577 c:\windows\system32\srvsvc.dll
0x77cd0000 0x33000 5.01.2600.2743 c:\windows\system32\netman.dll
0x763b0000 0x1a9000 5.01.2600.2180 c:\windows\system32\netshell.dll
0x76bc0000 0x2e000 5.01.2600.2180 c:\windows\system32\credui.dll
0x72fa0000 0x10000 5.01.2600.2180 c:\windows\system32\WZCSAPI.DLL
0x73c90000 0x8000 5.01.2600.2180 c:\windows\system32\seclogon.dll
0x72260000 0xd000 5.01.2600.2180 c:\windows\system32\sens.dll
0x75130000 0x2e000 5.01.2600.2180 c:\windows\system32\srsvc.dll
0x74a60000 0x8000 6.00.2900.2180 c:\windows\system32\POWRPROF.dll
0x75000000 0x19000 5.01.2600.2180 c:\windows\system32\trkwks.dll
0x4f120000 0x28000 5.01.2600.2180 c:\windows\system32\wbem\wmisvc.dll
0x75370000 0x6d000 5.01.2600.2180 C:\WINDOWS\system32\VSSAPI.DLL
0x50000000 0x5000 5.04.3790.2180 c:\windows\system32\wuauserv.dll
0x50040000 0x14a000 5.08.0000.2469 C:\WINDOWS\system32\wuaueng.dll
0x751f0000 0x29000 6.00.2900.2180 C:\WINDOWS\System32\ADVPACK.dll
0x76740000 0x9000 6.00.2900.2180 C:\WINDOWS\System32\SHFOLDER.dll
0x4d530000 0x58000 5.01.2600.2180 C:\WINDOWS\System32\WINHTTP.dll
0x750e0000 0x14000 5.01.2600.2180 C:\WINDOWS\System32\Cabinet.dll
0x604f0000 0xb000 5.01.2600.2180 C:\WINDOWS\System32\mspatcha.dll
0x4c0e0000 0x17000 5.01.2600.2180 c:\windows\system32\wscsvc.dll
0x75220000 0x37000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wbemcomn.dll
0x76630000 0x85000 5.01.2600.2180 C:\WINDOWS\System32\Wbem\wbemcore.dll
0x76030000 0x65000 6.02.3104.0000 C:\WINDOWS\System32\MSVCP60.dll
0x752a0000 0x3f000 5.01.2600.2180 C:\WINDOWS\System32\Wbem\esscli.dll
0x75630000 0x76000 5.01.2600.2180 C:\WINDOWS\System32\Wbem\FastProx.dll
0x66910000 0x56000 5.01.2600.2180 c:\windows\system32\ipnathlp.dll
0x77690000 0x11000 5.01.2600.2622 c:\windows\system32\AUTHZ.dll
0x760a0000 0x13c000 2001.12.4414.0308 C:\WINDOWS\system32\comsvcs.dll
0x750c0000 0x14000 2001.12.4414.0308 C:\WINDOWS\system32\colbact.DLL
0x75080000 0x13000 2001.12.4414.0311 C:\WINDOWS\system32\MTXCLU.DLL
0x76d60000 0x11000 5.01.2600.2180 C:\WINDOWS\System32\CLUSAPI.DLL
0x75040000 0x12000 5.01.2600.2180 C:\WINDOWS\System32\RESUTILS.DLL
0x772f0000 0x15000 5.01.2600.2180 c:\windows\system32\browser.dll
0x71a10000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x74fb0000 0x1c000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wmiutils.dll
0x75190000 0x2e000 5.01.2600.2180 C:\WINDOWS\System32\wbem\repdrvfs.dll
0x59bd0000 0x6d000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wmiprvsd.dll
0x5fbb0000 0xc000 5.01.2600.2180 C:\WINDOWS\system32\NCObjAPI.DLL
0x75320000 0x46000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wbemess.dll
0x20b00000 0x46000 2.51.0030.0000 C:\WINDOWS\system32\imon.dll
0x20c00000 0xc000 C:\Programmi\Eset\pr_imon.dll
0x5fb80000 0xe000 5.01.2600.2180 C:\WINDOWS\System32\wbem\ncprov.dll
0x76f80000 0x6000 5.01.2600.2938 C:\WINDOWS\System32\rasadhlp.dll
0x7dee0000 0x31000 5.01.2600.2936 C:\WINDOWS\System32\rasmans.dll
0x742f0000 0xb000 5.01.2600.2180 C:\WINDOWS\System32\WINIPSEC.DLL
0x75590000 0x9c000 5.01.2600.2180 C:\WINDOWS\System32\netcfgx.dll
0x73350000 0x40000 5.01.2600.2716 c:\windows\system32\tapisrv.dll
0x75ef0000 0x11000 5.01.2600.2180 C:\WINDOWS\System32\rastapi.dll
0x58080000 0x36000 5.01.2600.2180 C:\WINDOWS\System32\unimdm.tsp
0x71f90000 0x7000 5.01.2600.2180 C:\WINDOWS\System32\uniplat.dll
0x5b480000 0x16000 5.01.2600.2180 C:\WINDOWS\System32\unimdmat.dll
0x58100000 0xb000 5.01.2600.2180 C:\WINDOWS\System32\kmddsp.tsp
0x580e0000 0x10000 5.01.2600.2180 C:\WINDOWS\System32\ndptsp.tsp
0x58110000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\ipconf.tsp
0x58130000 0x46000 5.01.2600.2180 C:\WINDOWS\System32\h323.tsp
0x58120000 0xa000 5.01.2600.2180 C:\WINDOWS\System32\hidphone.tsp
0x68dd0000 0x9000 5.01.2600.2180 C:\WINDOWS\System32\HID.DLL
0x721d0000 0x35000 5.01.2600.2180 C:\WINDOWS\System32\rasppp.dll
0x72420000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\ntlsapi.dll
0x71c80000 0x4b000 5.01.2600.2698 C:\WINDOWS\system32\kerberos.dll
0x76750000 0xc000 5.01.2600.2180 C:\WINDOWS\System32\cryptdll.dll
0x72030000 0x1b000 5.01.2600.2180 c:\windows\system32\rasauto.dll
0x67370000 0x31000 5.01.2600.2180 C:\WINDOWS\system32\upnphost.dll
0x74e90000 0xc000 5.01.2600.2180 C:\WINDOWS\system32\SSDPAPI.dll
0x754e0000 0xa8000 5.01.2600.2180 C:\WINDOWS\System32\RASDLG.dll
0x76da0000 0x23000 5.01.2600.2180 C:\WINDOWS\System32\upnp.dll
0x50640000 0xc000 5.08.0000.2469 C:\WINDOWS\System32\wups.dll
0x74e60000 0xe000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wbemsvc.dll
0x74910000 0x10e000 8.70.1113.0000 C:\WINDOWS\System32\msxml3.dll
0x76f70000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\winrnr.dll
0x68100000 0x24000 5.01.2600.2133 C:\WINDOWS\System32\dssenh.dll

------------------------------------------------------------------------------
svchost.exe pid: 1124
Command line: C:\WINDOWS\System32\svchost.exe -k NetworkService

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\svchost.exe
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x76730000 0xd000 5.01.2600.2180 c:\windows\system32\dnsrslvr.dll
0x76ee0000 0x27000 5.01.2600.2938 c:\windows\system32\DNSAPI.dll
0x20b00000 0x46000 2.51.0030.0000 C:\WINDOWS\system32\imon.dll
0x20c00000 0xc000 C:\Programmi\Eset\pr_imon.dll
0x719d0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x66750000 0x58000 5.01.2600.2180 C:\WINDOWS\System32\hnetcfg.dll
0x71a10000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll

------------------------------------------------------------------------------
svchost.exe pid: 1208
Command line: C:\WINDOWS\System32\svchost.exe -k LocalService

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\svchost.exe
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x74bd0000 0x6000 5.01.2600.2180 c:\windows\system32\lmhsvc.dll
0x5aae0000 0x15000 5.01.2600.2821 c:\windows\system32\webclnt.dll
0x76ab0000 0x12000 5.01.2600.2180 c:\windows\system32\regsvc.dll
0x76920000 0x14000 5.01.2600.2180 c:\windows\system32\ssdpsrv.dll
0x66750000 0x58000 5.01.2600.2180 C:\WINDOWS\System32\hnetcfg.dll
0x20b00000 0x46000 2.51.0030.0000 C:\WINDOWS\system32\imon.dll
0x20c00000 0xc000 C:\Programmi\Eset\pr_imon.dll
0x719d0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x71a10000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x67370000 0x31000 5.01.2600.2180 c:\windows\system32\upnphost.dll
0x4d530000 0x58000 5.01.2600.2180 c:\windows\system32\WINHTTP.dll
0x74e90000 0xc000 5.01.2600.2180 c:\windows\system32\SSDPAPI.dll
0x74910000 0x10e000 8.70.1113.0000 C:\WINDOWS\System32\msxml3.dll
0x75d50000 0x91000 6.00.2900.2180 C:\WINDOWS\System32\mlang.dll
0x67a50000 0x9000 5.01.2600.2180 C:\WINDOWS\System32\httpapi.dll

------------------------------------------------------------------------------
spoolsv.exe pid: 1460
Command line: C:\WINDOWS\system32\spoolsv.exe

Base Size Version Path
0x01000000 0x10000 5.01.2600.2696 C:\WINDOWS\system32\spoolsv.exe
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x76ee0000 0x27000 5.01.2600.2938 C:\WINDOWS\system32\DNSAPI.dll
0x76f80000 0x6000 5.01.2600.2938 C:\WINDOWS\system32\rasadhlp.dll
0x75b60000 0x57000 5.01.2600.2180 C:\WINDOWS\system32\localspl.dll
0x74210000 0xf000 0.03.0000.0000 C:\WINDOWS\system32\cnbjmon.dll
0x66f40000 0x1f000 0.03.0000.0001 C:\WINDOWS\system32\CNMLM61.DLL
0x719d0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x00970000 0x8000 0.03.0000.0000 C:\WINDOWS\System32\spool\PRTPROCS\W32X86\CNMPD61.DLL
0x76f70000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\winrnr.dll
0x76210000 0x23000 5.01.2600.2180 C:\WINDOWS\system32\win32spl.dll
0x71c10000 0x7000 5.01.2600.2180 C:\WINDOWS\system32\NETRAP.dll
0x76760000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll
0x74280000 0x15000 5.01.2600.2180 C:\WINDOWS\system32\inetpp.dll
0x66900000 0x182000 0.03.0000.0000 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CNMUI61.DLL
0x76330000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\MSIMG32.dll
0x66400000 0x63000 0.03.0000.0000 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CNMDR61.DLL
0x73aa0000 0x15000 5.01.2600.2709 C:\WINDOWS\system32\mscms.dll

------------------------------------------------------------------------------
CCSETMGR.EXE pid: 1572
Command line: "C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"

Base Size Version Path
0x00400000 0x3a000 2.01.0010.0002 C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
0x7c080000 0x77000 7.00.9466.0000 C:\WINDOWS\system32\MSVCP70.dll
0x7c000000 0x54000 7.00.9466.0000 C:\WINDOWS\system32\MSVCR70.dll
0x6ae80000 0x1b000 2.01.0010.0002 C:\Programmi\File comuni\Symantec Shared\ccVrTrst.dll

------------------------------------------------------------------------------
nod32krn.exe pid: 1628
Command line: "C:\Programmi\Eset\nod32krn.exe"

Base Size Version Path
0x00400000 0x7e000 2.51.0030.0000 C:\Programmi\Eset\nod32krn.exe
0x20000000 0xd000 2.51.0030.0000 C:\Programmi\Eset\nod32krr.dll
0x20500000 0x3c000 2.51.0030.0000 C:\Programmi\Eset\ps_amon.dll
0x20600000 0x8000 2.51.0030.0000 C:\Programmi\Eset\pr_amon.dll
0x21d00000 0x27000 2.51.0030.0000 C:\Programmi\Eset\ps_dmon.dll
0x21f00000 0x5000 C:\Programmi\Eset\pr_dmon.dll
0x22100000 0x30000 2.51.0030.0000 C:\Programmi\Eset\ps_emon.dll
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x22300000 0xf000 C:\Programmi\Eset\pr_emon.dll
0x20b00000 0x46000 2.51.0030.0000 C:\WINDOWS\system32\imon.dll
0x20c00000 0xc000 C:\Programmi\Eset\pr_imon.dll
0x20800000 0x43000 2.51.0030.0000 C:\Programmi\Eset\ps_nod32.dll
0x20900000 0x5000 2.51.0030.0000 C:\Programmi\Eset\pr_nod32.dll
0x20200000 0x62000 2.51.0030.0000 C:\Programmi\Eset\ps_upd.dll
0x20300000 0xc000 C:\Programmi\Eset\pr_upd.dll
0x74e80000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wbemprox.dll
0x75220000 0x37000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wbemcomn.dll
0x74e60000 0xe000 5.01.2600.2180 C:\WINDOWS\System32\wbem\wbemsvc.dll
0x75630000 0x76000 5.01.2600.2180 C:\WINDOWS\System32\wbem\fastprox.dll
0x76030000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll
0x76760000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll
0x76ee0000 0x27000 5.01.2600.2938 C:\WINDOWS\system32\DNSAPI.dll
0x719d0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x66750000 0x58000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x71a10000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x76f70000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\winrnr.dll
0x76f80000 0x6000 5.01.2600.2938 C:\WINDOWS\system32\rasadhlp.dll

------------------------------------------------------------------------------
svchost.exe pid: 1748
Command line: C:\WINDOWS\System32\svchost.exe -k imgsvc

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\svchost.exe
0x5cf90000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll
0x596b0000 0x1ca000 5.01.2600.2180 C:\WINDOWS\AppPatch\AcGenral.DLL
0x773a0000 0x103000 6.00.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x75a20000 0x55000 5.01.2600.2180 c:\windows\system32\wiaservc.dll
0x74a70000 0x7000 5.01.2600.2180 c:\windows\system32\CFGMGR32.dll
0x73aa0000 0x15000 5.01.2600.2709 c:\windows\system32\mscms.dll
0x71cd0000 0x1c000 6.00.2900.2180 C:\WINDOWS\System32\actxprxy.dll
0x73b10000 0x14000 5.01.2600.2180 C:\WINDOWS\System32\sti.dll

--------------------------------------------------------------------
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi BilloKenobi » 09/12/06 12:40

scarica

The Avenger --- http://swandog46.geekstogo.com/avenger.zip

Ora estrai e avvia Avenger.exe

disattiva antivirus, firewall, eventuali moduli hips

Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E20D0C1-8F6A-3854-73B0-B4EFBCBB7A60}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | sFz

Files to delete:
C:\WINDOWS\yblhq1.dll

Dopo di che, clicca sul pulsante Done
Clicca 2 volte sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Il programma rilascia un log con le operazioni eseguite.

Allegami il log di Avenger (che si trova in C:\avenger.txt) con l´esito dello script.
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi maxilsub » 09/12/06 13:09

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\euyauobp

*******************

Script file located at: \??\C:\Documents and Settings\uewypnqx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\yblhq1.dll not found!
Deletion of file C:\WINDOWS\yblhq1.dll failed!

Could not process line:
C:\WINDOWS\yblhq1.dll
Status: 0xc0000034



Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E20D0C1-8F6A-3854-73B0-B4EFBCBB7A60} deleted successfully.


Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | sFz not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | sFz failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top

Postdi BilloKenobi » 10/12/06 14:27

inserisci questo nuovo script (avevo fatto un pò di confusione sul copia/incolla)

Registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | sFz
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi Luke57 » 10/12/06 18:47

BilloKenobi ha scritto:inserisci questo nuovo script (avevo fatto un pò di confusione sul copia/incolla)

Registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | sFz


Ciao Billo, mi sa che lo script giusto è questo:

Registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | sFz
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10
Top

Postdi BilloKenobi » 10/12/06 18:54

già... oggi non ne azzecco una :D
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05
Top

Postdi maxilsub » 12/12/06 16:23

Fatto vi posto il log di Avenger


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\arbcbsuv

*******************

Script file located at: \??\C:\Program Files\ueojvfxj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|sFz deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
maxilsub
Utente Junior
 
Post: 31
Iscritto il: 16/01/06 19:20
Località: Latina
Top
Prossimo
Rispondi al post

Torna a Sicurezza e Privacy

Chi c’è in linea

Visitano il forum: Nessuno e 42 ospiti