Precedente :: Successivo |
Autore |
Messaggio |
Rei Eroe
Registrato: 27/04/07 14:10 Messaggi: 75
|
Inviato: 02 Mag 2007 20:48 Oggetto: |
|
|
ok ho visto adesso le info aggiuntive! ritento!
però aspetto suggerimenti per l'eliminazione di
c:\windows\system32\ctfdpfgc.exe
|
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 02 Mag 2007 20:53 Oggetto: |
|
|
prima della rimozione avrei voluto la conferma che i file hidden del bagle fossero effettivamente ancora presenti. E' strano infatti che il fix non li avesse trovati e nemmeno il modulo usato da systemscan. A quanto ne so dovevano essere visibili
MA visto che bdoriano ha iniziato la procedura di cleaning, continuiamola, i log li posterai dopo
Scarica avenger sul desktop ed estrai l'eseguibile avenger.exe
POi segui questa guida su come usarlo http://www.pianetapc.it/articoli.php?id=89
ma con questo script:
Files to delete:
C:\Documents and Settings\Simo\Impostazioni locali\Temp\jefpca.exe
c:\windows\system32\ctfdpfgc.exe
C:\WINDOWS\TEMP\znqgaa.exe
C:\PROGRA~1\STYLED~1\once2.dll
C:\WINDOWS\tasks\vjetmdg.job
C:\WINDOWS\tasks\vwe.job
C:\WINDOWS\tasks\pbh.job
C:\WINDOWS\tasks\vtflmn.job
C:\WINDOWS\tasks\cdcshz.job
C:\WINDOWS\tasks\bmfeyhyq.job
C:\WINDOWS\tasks\oyvmi.job
C:\WINDOWS\tasks\akvhitqi.job
C:\WINDOWS\tasks\rfkit.job
C:\WINDOWS\tasks\ptopge.job
C:\WINDOWS\tasks\ wlf.job
C:\WINDOWS\tasks\rhppypap.job
C:\WINDOWS\tasks\croxrtle.job
C:\WINDOWS\tasks\auvibdyw.job
C:\WINDOWS\tasks\zdjtqnl.job
C:\WINDOWS\tasks\husbqgk.job
C:\WINDOWS\tasks\tgrztahw.job
C:\WINDOWS\tasks\biilx.job
C:\WINDOWS\tasks\wbh.job
C:\WINDOWS\tasks\ycifkdf.job
C:\WINDOWS\tasks\rjg.job
C:\WINDOWS\tasks\lmsevqm.job
C:\WINDOWS\tasks\qtvgm.job
C:\WINDOWS\tasks\resfqu.job
C:\WINDOWS\tasks\qhewc.job
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\cusbohcn.sys
registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|jefpca.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|ctfdpfgc
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|znqgaa.exe
registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{682C4DBF-F7DB-F975-2568-753DC773C736}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
drivers to unload:
cusbohcn
Segui le istruzioni, ti chiederà di riavviare 2 volte, accetta
al termine posta:
- contenuto del file avenger.txt
- nuovo log di systemscan
- nuovo log di GMER, ma non spuntare "Show all", non è necessario |
|
Top |
|
|
Rei Eroe
Registrato: 27/04/07 14:10 Messaggi: 75
|
Inviato: 02 Mag 2007 22:44 Oggetto: |
|
|
ecco i due log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\scgsgakd
*******************
Script file located at: \??\C:\WINDOWS\system32\xycjdrmm.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Documents and Settings\Simo\Impostazioni locali\Temp\jefpca.exe not found!
Deletion of file C:\Documents and Settings\Simo\Impostazioni locali\Temp\jefpca.exe failed!
Could not process line:
C:\Documents and Settings\Simo\Impostazioni locali\Temp\jefpca.exe
Status: 0xc0000034
File c:\windows\system32\ctfdpfgc.exe deleted successfully.
File C:\WINDOWS\TEMP\znqgaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\znqgaa.exe failed!
Could not process line:
C:\WINDOWS\TEMP\znqgaa.exe
Status: 0xc0000034
Could not open file C:\PROGRA~1\STYLED~1\once2.dll for deletion
Deletion of file C:\PROGRA~1\STYLED~1\once2.dll failed!
Could not process line:
C:\PROGRA~1\STYLED~1\once2.dll
Status: 0xc000003a
File C:\WINDOWS\tasks\vjetmdg.job deleted successfully.
File C:\WINDOWS\tasks\vwe.job deleted successfully.
File C:\WINDOWS\tasks\pbh.job deleted successfully.
File C:\WINDOWS\tasks\vtflmn.job deleted successfully.
File C:\WINDOWS\tasks\cdcshz.job deleted successfully.
File C:\WINDOWS\tasks\bmfeyhyq.job deleted successfully.
File C:\WINDOWS\tasks\oyvmi.job deleted successfully.
File C:\WINDOWS\tasks\akvhitqi.job deleted successfully.
File C:\WINDOWS\tasks\rfkit.job deleted successfully.
File C:\WINDOWS\tasks\ptopge.job deleted successfully.
File C:\WINDOWS\tasks\ wlf.job not found!
Deletion of file C:\WINDOWS\tasks\ wlf.job failed!
Could not process line:
C:\WINDOWS\tasks\ wlf.job
Status: 0xc0000034
File C:\WINDOWS\tasks\rhppypap.job not found!
Deletion of file C:\WINDOWS\tasks\rhppypap.job failed!
Could not process line:
C:\WINDOWS\tasks\rhppypap.job
Status: 0xc0000034
File C:\WINDOWS\tasks\croxrtle.job not found!
Deletion of file C:\WINDOWS\tasks\croxrtle.job failed!
Could not process line:
C:\WINDOWS\tasks\croxrtle.job
Status: 0xc0000034
File C:\WINDOWS\tasks\auvibdyw.job not found!
Deletion of file C:\WINDOWS\tasks\auvibdyw.job failed!
Could not process line:
C:\WINDOWS\tasks\auvibdyw.job
Status: 0xc0000034
File C:\WINDOWS\tasks\zdjtqnl.job deleted successfully.
File C:\WINDOWS\tasks\husbqgk.job not found!
Deletion of file C:\WINDOWS\tasks\husbqgk.job failed!
Could not process line:
C:\WINDOWS\tasks\husbqgk.job
Status: 0xc0000034
File C:\WINDOWS\tasks\tgrztahw.job not found!
Deletion of file C:\WINDOWS\tasks\tgrztahw.job failed!
Could not process line:
C:\WINDOWS\tasks\tgrztahw.job
Status: 0xc0000034
File C:\WINDOWS\tasks\biilx.job not found!
Deletion of file C:\WINDOWS\tasks\biilx.job failed!
Could not process line:
C:\WINDOWS\tasks\biilx.job
Status: 0xc0000034
File C:\WINDOWS\tasks\wbh.job not found!
Deletion of file C:\WINDOWS\tasks\wbh.job failed!
Could not process line:
C:\WINDOWS\tasks\wbh.job
Status: 0xc0000034
File C:\WINDOWS\tasks\ycifkdf.job deleted successfully.
File C:\WINDOWS\tasks\rjg.job not found!
Deletion of file C:\WINDOWS\tasks\rjg.job failed!
Could not process line:
C:\WINDOWS\tasks\rjg.job
Status: 0xc0000034
File C:\WINDOWS\tasks\lmsevqm.job not found!
Deletion of file C:\WINDOWS\tasks\lmsevqm.job failed!
Could not process line:
C:\WINDOWS\tasks\lmsevqm.job
Status: 0xc0000034
File C:\WINDOWS\tasks\qtvgm.job not found!
Deletion of file C:\WINDOWS\tasks\qtvgm.job failed!
Could not process line:
C:\WINDOWS\tasks\qtvgm.job
Status: 0xc0000034
File C:\WINDOWS\tasks\resfqu.job deleted successfully.
File C:\WINDOWS\tasks\qhewc.job deleted successfully.
File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\cusbohcn.sys not found!
Deletion of file C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\cusbohcn.sys failed!
Could not process line:
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\cusbohcn.sys
Status: 0xc0000034
Driver cusbohcn unloaded successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|jefpca.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|ctfdpfgc deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|znqgaa.exe deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{682C4DBF-F7DB-F975-2568-753DC773C736} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} deleted successfully.
Completed script processing.
*******************
Finished! Terminate. |
|
Top |
|
|
Rei Eroe
Registrato: 27/04/07 14:10 Messaggi: 75
|
Inviato: 02 Mag 2007 22:47 Oggetto: |
|
|
e l'altro- presto spero di riuscire a postare anche gmer, anche se non sono riuscita a fare lo scan senza show all...mi diceva che non c'erano state modifiche di sistema o qualcosa di simile...
SystemScan - www.suspectfile.com - ver. 3.0.1
Running on: Windows XP PROFESSIONAL Edition, Service Pack 2 (2600.5.1)
Date: 02/05/2007
Time: 22.41.17
Output limited to:
-Recent files
-Registry Run Keys
-Running Services
-Duplicates in BAK folders
-Device Driver Services
-Svchost.exe instances
-Loaded Dlls
-Alternate Data Sreams
-Encrypted Files
-Hidden objects
-Suspicious Files
-------------Users folders -------------
11/10/2004 21.34.47 (DIR) -H-- 0933 days old -- Default User
17/03/2007 00.46.52 AH-- 0046 days old -- ADMINI~1.LOG
17/03/2007 00.58.00 (DIR) ---- 0046 days old -- All Users
17/03/2007 01.17.01 (DIR) -HS- 0046 days old -- LocalService
17/03/2007 01.17.02 (DIR) ---- 0046 days old -- Administrator
22/03/2007 00.05.31 (DIR) -HS- 0041 days old -- NetworkService
02/05/2007 22.33.58 (DIR) ---- 0000 days old -- Simo
Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| ASPNET
| Guest
| HelpAssistant (Disabled)
Yes | Simo
| SUPPORT_388945a0 (Disabled)
-------------Recent files (60 days old)-------------
------------- Showing files newer than 60 days in C:\
17/03/2007 00.42.31 (DIR) ---- 0046 days old -- Documents and Settings
17/03/2007 11.30.19 A--- 0046 days old -- temp.log
19/03/2007 22.55.34 (DIR) ---- 0044 days old -- TEMP
23/04/2007 19.58.29 (DIR) ---- 0009 days old -- !Submit
27/04/2007 11.03.44 (DIR) ---- 0005 days old -- Immagini
01/05/2007 15.19.26 (DIR) -HS- 0001 days old -- System Volume Information
02/05/2007 12.41.38 (DIR) ---- 0000 days old -- Muestras
02/05/2007 18.31.26 A--- 0000 days old -- InfoSat.txt
02/05/2007 21.05.05 (DIR) ---- 0000 days old -- Programmi
02/05/2007 21.28.55 (DIR) ---- 0000 days old -- WINDOWS
02/05/2007 22.23.56 A--- 0000 days old -- hpfr3420.log
02/05/2007 22.23.56 A--- 0000 days old -- hpfr3420.xml
02/05/2007 22.35.42 AHSR 0000 days old -- pagefile.sys
02/05/2007 22.36.16 (DIR) ---- 0000 days old -- avenger
02/05/2007 22.38.27 A--- 0000 days old -- avenger.txt
02/05/2007 22.41.17 (DIR) ---- 0000 days old -- suspectfile
------------- Showing files newer than 60 days in C:\WINDOWS\
14/03/2007 12.34.02 (DIR) -H-- 0049 days old -- inf
17/03/2007 01.16.24 (DIR) ---- 0046 days old -- Registration
17/03/2007 19.58.22 (DIR) ---- 0046 days old -- Offline Web Pages
17/03/2007 19.58.23 (DIR) ---- 0046 days old -- Minidump
17/03/2007 19.59.32 (DIR) ---- 0046 days old -- $NtServicePackUninstall$
24/03/2007 18.04.12 (DIR) ---- 0039 days old -- system
12/04/2007 17.04.36 A--- 0020 days old -- gmer.exe
14/04/2007 17.37.24 A--- 0018 days old -- vbaddin.ini
22/04/2007 11.50.35 (DIR) -HS- 0010 days old -- Installer
22/04/2007 11.51.18 (DIR) --SR 0010 days old -- Fonts
22/04/2007 21.42.55 (DIR) ---- 0010 days old -- security
28/04/2007 11.13.09 (DIR) ---- 0004 days old -- Help
28/04/2007 12.02.51 A--- 0004 days old -- gmer.dll
28/04/2007 12.02.51 A--- 0004 days old -- gmer_uninstall.cmd
02/05/2007 10.41.06 A--- 0000 days old -- ModemLog_HSP56 MR.txt
02/05/2007 14.08.55 A--- 0000 days old -- gmer.ini
02/05/2007 21.09.44 (DIR) ---- 0000 days old -- Debug
02/05/2007 21.28.55 (DIR) -H-- 0000 days old -- PIF
02/05/2007 21.29.44 A--- 0000 days old -- system.ini
02/05/2007 21.53.27 A--- 0000 days old -- ntbtlog.txt
02/05/2007 22.33.58 A--- 0000 days old -- SchedLgU.Txt
02/05/2007 22.35.17 (DIR) ---- 0000 days old -- system32
02/05/2007 22.35.18 (DIR) --S- 0000 days old -- Tasks
02/05/2007 22.35.55 A-S- 0000 days old -- bootstat.dat
02/05/2007 22.36.08 A--- 0000 days old -- 0.log
02/05/2007 22.36.12 A--- 0000 days old -- wiaservc.log
02/05/2007 22.36.17 A--- 0000 days old -- WindowsUpdate.log
02/05/2007 22.36.22 (DIR) ---- 0000 days old -- Temp
02/05/2007 22.40.01 A--- 0000 days old -- wiadebug.log
02/05/2007 22.41.18 (DIR) ---- 0000 days old -- Prefetch
------------- Showing files newer than 60 days in C:\WINDOWS\Downloaded Program Files\
------------- Showing files newer than 60 days in C:\WINDOWS\system\
------------- Showing files newer than 60 days in C:\WINDOWS\system32\
17/03/2007 01.16.25 (DIR) ---- 0046 days old -- wbem
17/03/2007 01.17.35 (DIR) ---- 0046 days old -- config
22/04/2007 11.15.29 A--- 0010 days old -- perfc009.dat
22/04/2007 11.15.29 A--- 0010 days old -- PerfStringBackup.INI
22/04/2007 11.15.30 A--- 0010 days old -- perfc010.dat
22/04/2007 11.15.30 A--- 0010 days old -- perfh009.dat
22/04/2007 11.15.33 A--- 0010 days old -- perfh010.dat
22/04/2007 22.41.39 A--- 0010 days old -- FNTCACHE.DAT
29/04/2007 20.35.05 (DIR) ---- 0003 days old -- dllcache
29/04/2007 20.35.19 (DIR) ---- 0003 days old -- CatRoot2
01/05/2007 15.19.27 (DIR) ---- 0001 days old -- Restore
02/05/2007 10.34.27 (DIR) ---- 0000 days old -- oobe
02/05/2007 22.36.16 (DIR) ---- 0000 days old -- drivers
02/05/2007 22.36.22 A--- 0000 days old -- wpa.dbl
------------- Showing files newer than 60 days in C:\WINDOWS\system32\drivers\
28/04/2007 12.02.51 A--- 0004 days old -- gmer.sys
02/05/2007 19.31.24 (DIR) ---- 0000 days old -- etc
------------- Showing files newer than 60 days in C:\WINDOWS\temp\
02/05/2007 22.16.16 A--- 0000 days old -- AcrF8AC.tmp
02/05/2007 22.16.49 A--- 0000 days old -- AcrD90E.tmp
02/05/2007 22.17.58 A--- 0000 days old -- Acr7055.tmp
02/05/2007 22.22.06 A--- 0000 days old -- AcrD1D3.tmp
02/05/2007 22.22.54 A--- 0000 days old -- Acr3BAE.tmp
02/05/2007 22.25.14 A--- 0000 days old -- Acr9DEE.tmp
02/05/2007 22.29.29 A--- 0000 days old -- Acr9AC6.tmp
02/05/2007 22.30.24 A--- 0000 days old -- Acr109.tmp
02/05/2007 22.32.30 A--- 0000 days old -- Acr7031.tmp
02/05/2007 22.36.08 A--- 0000 days old -- WGAErrLog.txt
02/05/2007 22.36.24 A--- 0000 days old -- WGANotify.settings
------------- Showing files newer than 60 days in C:\Programmi\
12/03/2007 21.05.10 (DIR) ---- 0051 days old -- Adobe
12/03/2007 21.38.16 (DIR) ---- 0051 days old -- Adobe Illustrator CS
17/03/2007 01.14.13 (DIR) ---- 0046 days old -- ClamWin
17/03/2007 01.15.06 (DIR) ---- 0046 days old -- DVD Decrypter
17/03/2007 11.41.20 (DIR) ---- 0046 days old -- DivX
17/03/2007 14.44.40 (DIR) ---- 0046 days old -- Internet Explorer
17/03/2007 19.54.30 (DIR) ---- 0046 days old -- DustBuster
17/03/2007 20.04.02 (DIR) ---- 0046 days old -- Movie Maker
17/03/2007 20.04.02 (DIR) ---- 0046 days old -- NetMeeting
17/03/2007 20.04.02 (DIR) ---- 0046 days old -- WinRAR
17/03/2007 20.04.50 (DIR) ---- 0046 days old -- Uninstall Information
20/03/2007 16.04.31 (DIR) ---- 0043 days old -- SmartDraw 2007
20/03/2007 22.59.47 (DIR) ---- 0043 days old -- Belarc
22/03/2007 00.17.07 (DIR) ---- 0041 days old -- TEMP
24/03/2007 18.03.03 (DIR) ---- 0039 days old -- Grisoft
30/03/2007 10.13.17 (DIR) ---- 0033 days old -- SAGEM F@st 800-840
02/04/2007 20.07.23 (DIR) ---- 0030 days old -- Mozilla Firefox
14/04/2007 17.35.36 (DIR) ---- 0018 days old -- Spybot - Search & Destroy
14/04/2007 17.38.17 (DIR) ---- 0018 days old -- Microsoft Office
22/04/2007 11.43.57 (DIR) ---- 0010 days old -- VideoLAN
22/04/2007 11.46.29 (DIR) ---- 0010 days old -- Ahead
22/04/2007 11.46.29 (DIR) ---- 0010 days old -- File comuni
22/04/2007 11.47.27 (DIR) -H-- 0010 days old -- InstallShield Installation Information
22/04/2007 11.48.44 (DIR) ---- 0010 days old -- ESET
23/04/2007 21.29.04 (DIR) ---- 0009 days old -- eMule
02/05/2007 21.07.49 (DIR) ---- 0000 days old -- CCleaner
------------- Showing files newer than 60 days in C:\Programmi\File comuni\
12/03/2007 21.38.02 (DIR) ---- 0051 days old -- Adobe
17/03/2007 11.30.36 (DIR) ---- 0046 days old -- InstallShield
17/03/2007 20.04.02 (DIR) ---- 0046 days old -- Services
14/04/2007 17.38.17 (DIR) ---- 0018 days old -- Microsoft Shared
-------------Duplicates in BAK folders-------------
No BAK folders found
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Run-------------
[Run]
"Hcontrol"="C:\WINDOWS\ATK0100\Hcontrol.exe"
"nod32kui"="\"C:\Programmi\Eset\nod32kui.exe\" /WAITSERVICE"
"PCTVOICE"="pctspk.exe"
[Run\OptionalComponents]
[Run\OptionalComponents\IMAIL]
"Installed"="1"
[Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[Run\OptionalComponents\MSFS]
"Installed"="1"
-------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run-------------
[Run]
"msnmsgr"="\"C:\Programmi\MSN Messenger\msnmsgr.exe\" /background"
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
-------------HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run-------------
[Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE"
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------
-------------HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-------------
-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows-------------
[Windows]
"AppInit_DLLs"=""
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad-------------
[ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
#### HKCR\CLSID\{7849596a-48ea-486e-8937-a2a3009f31a9}\InprocServer32 @=expand:"%SystemRoot%\system32\SHELL32.dll"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
#### HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 @=expand:"%SystemRoot%\system32\SHELL32.dll"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
#### HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 @=expand:"%SystemRoot%\System32\webcheck.dll"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
#### HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32 @="C:\WINDOWS\System32\stobject.dll"
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-------------
[ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
#### HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InprocServer32 @="shell32.dll"
-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------
[Winlogon]
"Shell"="Explorer.exe"
"System"=""
"Userinit"="C:\WINDOWS\system32\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"UIHost"=expand:"logonui.exe"
"LogonType"=dword:00000001
"WinStationsDisabled"="0"
[Winlogon\GPExtensions]
[Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Senza fili"
"DllName"=expand:"gptext.dll"
[Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"DllName"=expand:"fdeploy.dll"
[Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Quota disco Microsoft"
"DllName"=expand:"dskquota.dll"
[Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="Utilità di pianificazione pacchetti QoS"
"DllName"=expand:"gptext.dll"
[Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Script"
"DllName"=expand:"gptext.dll"
[Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Mapping aree Internet Explorer"
"DllName"=expand:"iedkcs32.dll"
[Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
@="Security"
[Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"DllName"=expand:"iedkcs32.dll"
@="Personalizzazione Internet Explorer"
[Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
@="EFS recovery"
[Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Installazione software"
"DllName"=expand:"appmgmts.dll"
[Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="Protezione IP"
"DllName"=expand:"gptext.dll"
[Winlogon\Notify]
[Winlogon\Notify\crypt32chain]
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
[Winlogon\Notify\cryptnet]
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
[Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"StartShell"="WinlogonStartShellEvent"
[Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
[Winlogon\Notify\Schedule]
"DllName"=expand:"wlnotify.dll"
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"DllName"=expand:"sclgntfy.dll"
[Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
[Winlogon\Notify\termsrv]
"DllName"=expand:"wlnotify.dll"
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
[Winlogon\Notify\WgaLogon\Settings]
[Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
[Winlogon\SpecialAccounts]
[Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-------------
[Winlogon]
"ParseAutoexec"="1"
"ExcludeProfileDirs"="Impostazioni locali;Temporary Internet Files;Cronologia;Temp;Impostazioni locali\Dati applicazioni\Microsoft\Outlook"
"BuildNumber"=dword:00000a28
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options-------------
[Image File Execution Options\Your Image File Name Here without a path]
"Debugger"="ntsd -d"
-------------HKLM\System\CurrentControlSet\Control\Session Manager\-------------
[Session Manager]
"BootExecute"=multi:"autocheck autochk *\00\00"
[Session Manager\SubSystems]
"Windows"=expand:"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
-------------HKLM\SYSTEM\CurrentControlSet\Control\WOW-------------
[WOW]
"cmdline"=expand:"%SystemRoot%\system32\ntvdm.exe"
"wowcmdline"=expand:"%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386"
-------------HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run-------------
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------
[RunOnce]
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------
[RunOnceEx]
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices-------------
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------
-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce-------------
[RunOnce]
-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-------------
-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices-------------
-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run-------------
-------------HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-------------
-------------HKLM\Software\Microsoft\Command Processor\Autorun-------------
-------------HKCU\Software\Microsoft\Command Processor\Autorun-------------
-------------HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load-------------
-------------HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup-------------
-------------HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon-------------
-------------HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon-------------
-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce-------------
-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run-------------
-------------HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms-------------
-------------HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce-------------
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler-------------
[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
#### HKCR\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InprocServer32 @=expand:"%SystemRoot%\System32\browseui.dll"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"
#### HKCR\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InprocServer32 @=expand:"%SystemRoot%\System32\browseui.dll"
-------------HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects-------------
[Browser Helper Objects]
[Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
#### HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32 @="c:\programmi\google\googletoolbar3.dll"
-------------HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks-------------
[URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
#### HKCR\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InprocServer32 @=expand:"%SystemRoot%\System32\shdocvw.dll"
-------------HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder-------------
-------------HKCU\Control Panel\Desktop\-------------
[Desktop]
"SCRNSAVE.EXE"="C:\WINDOWS\System32\logon.scr"
[Desktop\WindowMetrics]
-------------HKEY_CLASSES_ROOT\exefile\shell\open\command-------------
[command]
@="\"%1\" %*"
-------------HKEY_CLASSES_ROOT\comfile\shell\open\command-------------
[command]
@="\"%1\" %*"
-------------HKEY_CLASSES_ROOT\batfile\shell\open\command-------------
[command]
@="\"%1\" %*"
-------------HKEY_CLASSES_ROOT\piffile\shell\open\command-------------
[command]
@="\"%1\" %*"
-------------HKEY_CLASSES_ROOT\scrFile\shell\open\command-------------
[command]
@="\"%1\" /S"
-------------HKEY_CLASSES_ROOT\htafile\shell\open\command-------------
[Command]
@="C:\WINDOWS\System32\mshta.exe \"%1\" %*"
-------------HKEY_CLASSES_ROOT\logfile\shell\open\command-------------
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL-------------
[URL]
[URL\DefaultPrefix]
@="http://"
[URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"
-------------HKLM\SYSTEM\CurrentControlSet\Control\Lsa-------------
[Lsa]
"Authentication Packages"=multi:"msv1_0\00\00"
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=multi:"kerberos\00msv1_0\00schannel\00wdigest\00\00"
"LsaPid"=dword:00000274
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=multi:"scecli\00\00"
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
[Lsa\AccessProviders]
"ProviderOrder"=multi:"Windows NT Access Provider\00\00"
[Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll"
[Lsa\Audit]
[Lsa\Audit\PerUserAuditing]
[Lsa\Audit\PerUserAuditing\System]
[Lsa\Data]
@Class="ea921c0e"
"Pattern"=hex:4c,85,41,f8,f1,10,18,60,58,d2,02,fa,97,49,4b,11,65,61,39,32,31,\
63,30,65,00,67,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
53,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,94,ff,64,3e
[Lsa\GBG]
@Class="94b614e8"
"GrafBlumGroup"=hex:43,74,4d,48,f5,5e,be,28,38
[Lsa\JD]
@Class="5d443e7a"
"Lookup"=hex:40,53,13,bc,68,eb
[Lsa\Kerberos]
[Lsa\Kerberos\Domains]
[Lsa\Kerberos\SidCache]
[Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[Lsa\Skew1]
@Class="64ff23f9"
"SkewMatrix"=hex:e7,b4,47,79,db,87,c1,be,75,97,b2,c9,d6,f1,50,88
[Lsa\SSO]
[Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[Lsa\SspiCache]
"Time"=hex:50,f4,14,c3,23,b8,c4,01
[Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,61,92,55,3d,86,c4,01
"Type"=dword:00000031
[Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,42,88,5b,3d,86,c4,01
"Type"=dword:00000031
[Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,d8,20,5c,3d,86,c4,01
"Type"=dword:00000031
-------------HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess-------------
[SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=expand:"%SystemRoot%\System32\svchost.exe -k netsvcs"
"DisplayName"="Windows Firewall / Condivisione connessione Internet (ICS)"
"DependOnService"=multi:"Netman\00WinMgmt\00\00"
"DependOnGroup"=multi:"\00"
"ObjectName"="LocalSystem"
"Description"="Fornisce servizi di conversione indirizzi di rete, indirizzamento e risoluzione nomi e/o servizi di prevenzione intrusione per una rete domestica o una piccola rete aziendale."
[SharedAccess\Epoch]
"Epoch"=dword:000036f9
[SharedAccess\Parameters]
"ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll"
[SharedAccess\Parameters\FirewallPolicy]
[SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]
[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\MSN Messenger\msnmsgr.exe"="C:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]
[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
[SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000
"DoNotAllowExceptions"=dword:00000000
[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"="C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:Connection Manager"
"C:\Programmi\Yahoo!\Messenger\YServer.exe"="C:\Programmi\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Programmi\Yahoo!\Messenger\YPager.exe"="C:\Programmi\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\Programmi\Skype\Phone\Skype.exe"="C:\Programmi\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Programmi\Messenger\msmsgs.exe"="C:\Programmi\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Programmi\eMule\emule.exe"="C:\Programmi\eMule\emule.exe:*:Enabled:eMule"
"C:\Programmi\MSN Messenger\msnmsgr.exe"="C:\Programmi\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
[SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001
[SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{BE80DAE7-A9EC-46A6-A16F-9B14F41415B8}"=dword:00000001
"{70E5874A-DD5F-437F-B4C1-4BE2B53D43CF}"=dword:00000001
"{5FB6F885-E2E5-48BA-96FF-D188AECB3305}"=dword:00000001
"{E03857CA-7263-4930-A1EB-3DB58F9A51B1}"=dword:00000001
"{81DBBE35-163C-4A7C-BE48-F89F0B3A4019}"=dword:00000001
"{7AAAF0AC-0CFC-4CCD-988F-7BC31FEB35F0}"=dword:00000001
"{65166867-D571-49F7-A1C6-BC2413DB35E2}"=dword:00000001
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Firewall\-------------
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Winsock2-------------
-------------HKLM\Software\Microsoft\Ole-------------
[Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
[Ole\AppCompat]
[Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"
[Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""
-------------HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\-------------
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\-------------
[Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000000
[Security Center\Monitoring]
[Security Center\Monitoring\AhnlabAntiVirus]
[Security Center\Monitoring\ComputerAssociatesAntiVirus]
[Security Center\Monitoring\KasperskyAntiVirus]
[Security Center\Monitoring\McAfeeAntiVirus]
[Security Center\Monitoring\McAfeeFirewall]
[Security Center\Monitoring\PandaAntiVirus]
[Security Center\Monitoring\PandaFirewall]
[Security Center\Monitoring\SophosAntiVirus]
[Security Center\Monitoring\SymantecAntiVirus]
[Security Center\Monitoring\SymantecFirewall]
[Security Center\Monitoring\TinyFirewall]
[Security Center\Monitoring\TrendAntiVirus]
[Security Center\Monitoring\TrendFirewall]
[Security Center\Monitoring\ZoneLabsFirewall]
-------------HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\-------------
[SystemRestore]
"DisableSR"=dword:00000000
"CreateFirstRunRp"=dword:00000001
"DSMin"=dword:000000c8
"DSMax"=dword:00000190
"RPSessionInterval"=dword:00000000
"RPGlobalInterval"=dword:00015180
"RPLifeInterval"=dword:0076a700
"CompressionBurst"=dword:0000003c
"TimerInterval"=dword:00000078
"DiskPercent"=dword:0000000c
"ThawInterval"=dword:00000384
"RestoreDiskSpaceError"=dword:00000000
"RestoreStatus"=dword:00000001
"RestoreSafeModeStatus"=dword:00000000
[SystemRestore\Cfg]
"DiskPercent"=dword:0000000c
"MachineGuid"="{D904691C-AB63-48AB-AD04-F335065C4713}"
[SystemRestore\SnapshotCallbacks]
@=""
-------------HKEY_CURRENT_USER\Software\VB and VBA Program Settings-------------
[VB and VBA Program Settings]
[VB and VBA Program Settings\Euro Add-in]
[VB and VBA Program Settings\Euro Add-in\Wizard Options]
-------------HKLM\Software\Microsoft\Active Setup\Installed Components-------------
[Installed Components]
[Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
@="IE7 Uninstall Stub"
"ComponentID"="IEUDINIT"
"DontAsk"=dword:00000002
"IsInstalled"=dword:00000000
"Locale"="*"
"StubPath"="C:\WINDOWS\system32\ieudinit.exe"
"Version"="7,0,5730,0"
[Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
@="Windows Media Player"
"ComponentID"="WMPACCESS"
"Dontask"=dword:00000002
"IsInstalled"=dword:00000000
"Locale"="*"
"StubPath"="C:\WINDOWS\inf\unregmp2.exe /ShowWMP"
"Version"="10,0,0,3646"
[Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
@="Internet Explorer"
"ComponentID"="IEACCESS"
"Dontask"=dword:00000002
"Locale"="*"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE"
"Version"="2,0,0,0"
"IsInstalled"=dword:00000001
[Installed Components\>{70B53801-0379-4562-84F6-8539F1329D06}]
"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"
"IsInstalled"=dword:00000001
@="Personalizzazione browser"
"ComponentID"="BRANDING.CAB"
"Version"="6,0,2800,1106"
"Locale"="en"
[Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
@="Outlook Express"
"ComponentID"="OEACCESS"
"Dontask"=dword:00000002
"Locale"="*"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE"
"Version"="2,0,0,0"
"IsInstalled"=dword:00000001
[Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
@="Microsoft VM"
"ComponentID"="JAVAVM"
"IsInstalled"=hex:01,00,00,00
"KeyFileName"="C:\WINDOWS\system32\msjava.dll"
"Locale"="IT"
"Version"="5,0,3810,0"
[Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
@="Rendering grafica vettoriale (VML)"
"ComponentID"="MSVML"
"Version"="6,0,2462,0001"
"IsInstalled"=hex:01,00,00,00
"Locale"="EN"
[Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
#### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
@=""
"ComponentID"="NetShow"
"IsInstalled"=dword:00000001
"DontAsk"=dword:00000002
"Locale"="IT"
"StubPath"=""
"Version"="10,0,0,3646"
[Installed Components\{2298d453-bcae-4519-bf33-1cbf3faf1524}]
@="Q867801"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1552"
"ComponentID"="Q867801"
[Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="Microsoft Windows Media Player"
"DontAsk"=dword:00000002
"Locale"="IT"
"StubPath"=""
@="Microsoft Windows Media Player 6.4"
"Version"="10,0,0,3646"
"IsInstalled"=dword:00000001
[Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
#### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="C:\WINDOWS\system32\danim.dll"
@="DirectAnimation"
"IsInstalled"=dword:00000001
"Version"="6,0,3,531"
"Locale"="IT"
"ComponentID"="DirectAnimation"
[Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="Themes Setup"
"ComponentID"="Theme Component"
"IsInstalled"=dword:00000001
"Locale"="IT"
"StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll"
"Version"="1,1,1,7"
[Installed Components\{2cc9d512-6db6-4f1c-8979-9a41fae88de0}]
@="Q837009"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1409"
"ComponentID"="Q837009"
[Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
@="Binding dati Dynamic HTML per Java"
"ComponentID"="TridataJava"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="4,7,0,0320"
[Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]
@="Modulo ricerca non in linea"
"ComponentID"="MobilePk"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="6,0,2900,2180"
[Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
@="Uniscribe"
"ComponentID"="USP10"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="1,397,2406,1"
[Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}]
@="KB834707"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1584"
"ComponentID"="KB834707"
[Installed Components\{411EDCF7-755D-414E-A74B-3DCD6583F589}]
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="1,1,4322"
"ComponentID"="S867460"
@="Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)"
[Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]
@="Creazione avanzata"
"ComponentID"="AdvAuth"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="6,0,2600,0000"
[Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"Version"="6,0,2900,2180"
@="Microsoft Outlook Express 6"
"IsInstalled"=dword:00000001
"Locale"="IT"
"ComponentID"="MailNews"
"CloneUser"=dword:00000001
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"
[Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
@="NetMeeting 3.01"
"ComponentID"="NetMeeting"
"IsInstalled"=hex:01,00,00,00
"Version"="4,4,0,3385"
"Locale"="IT"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT"
[Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
@="DirectShow"
"ComponentID"="activemovie"
"IsInstalled"=dword:00000001
"DontAsk"=dword:00000002
"Locale"="IT"
"Version"="10,0,0,3646"
[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft DirectX"
"Versione"=hex:04,00,09,00,00,00,86,03
[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
@="DirectDrawEx"
"ComponentID"="DirectDrawEx"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="4,71,1113,0"
[Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
@="Guida di Internet Explorer"
"ComponentID"="HelpCont"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="6,0,2600,0000"
[Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
@="Classi Java DirectAnimation"
"ComponentID"="DAJava"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="6,00,01,0223"
[Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
@="Microsoft Windows Script 5.6"
"ComponentID"="MSVBScript"
"IsInstalled"=dword:00000001
"Locale"="IT"
"Version"="5,6,0,8513"
[Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
"ComponentID"="Messenger"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser"
"Locale"="IT"
"Version"="4,7,0,3000"
"IsInstalled"=dword:00000001
@="Windows Messenger 4.7"
"KeyFileName"="C:\Programmi\Messenger\msmsgs.exe"
[Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
"(Default)"="Internet Connection Wizard"
"ComponentID"="ICW"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="5,00,2918,1900"
[Installed Components\{5f3c70b3-ac2f-432c-8f9c-1624df61f54f}]
@="Microsoft Data Access Components KB870669"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1106"
"ComponentID"="KB870669"
[Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
@="Strumenti di installazione di Internet Explorer"
"ComponentID"="GenSetup"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="5,0,0,1"
[Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
@="Miglioramenti sfoglia"
"ComponentID"="ExtraPack"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="6,0,2900,2180"
"KeyFileName"="C:\WINDOWS\System32\msieftp.dll"
[Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
#### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="C:\WINDOWS\system32\wmp.dll"
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"DontAsk"=dword:00000002
"Locale"="IT"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub"
"IsInstalled"=dword:00000001
"Version"="10,0,0,3646"
[Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
@="Accesso sito MSN"
"ComponentID"="MSN_Auth"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="4,9,9,2"
[Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
@="Web Folders"
"ComponentID"="WebFolders"
"IsInstalled"=dword:00000001
"Locale"="*"
"StubPath"=""
"Version"="10,0,0,1"
[Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"Version"="6,0,2900,2180"
@="Rubrica 6"
"IsInstalled"=dword:00000001
"Locale"="IT"
"ComponentID"="WAB"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"
[Installed Components\{795d0712-722c-43ec-906a-fc5e678eada9}]
@="Q831167"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1405"
"ComponentID"="Q831167"
[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
@="Windows Desktop Update"
"ComponentID"="IE4Shell_NT"
"IsInstalled"=dword:00000001
"Locale"="IT"
"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"
"Version"="6,0,2900,2180"
[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
@="Internet Explorer 6"
"ComponentID"="BASEIE40_W2K"
"IsInstalled"=dword:00000001
"Locale"="IT"
"StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe"
"Version"="6,0,2900,2180"
[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix]
[Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"ComponentID"="DOTNETFRAMEWORKS"
"IsInstalled"=dword:00000001
"StubPath"="C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install"
"Version"="1,1,0,5000"
"DontAsk"=dword:00000002
[Installed Components\{8EFA4753-7169-4CC3-A28B-0A1643B8A39B}]
"Version"="1,1,4322"
"ComponentID"="M886903"
@="Microsoft .NET Framework 1.1 Hotfix (KB886903)"
"Locale"="*"
"IsInstalled"=dword:00000001
[Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
@="Binding dati Dynamic HTML"
"ComponentID"="Tridata"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="5,5000,3130,0"
[Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}]
[Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}\0410]
"Version"="1.0.0.2"
[Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]
@="Font principali di Internet Explorer"
"ComponentID"="Fontcore"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="1,00,0000,6"
[Installed Components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}]
"Locale"=""
"Version"="1,0,4322,1"
"ComponentID"=".NETFramework"
@=".NET Framework"
[Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
@="Utilità di pianificazione"
"ComponentID"="MSTASK"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="4,71,1968,1"
[Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
"ComponentID"="Windows Movie Maker v2.1"
"IsInstalled"=hex:01,00,00,00
"Version"="2,1,4026,0"
[Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@="Shockwave Flash"
"ComponentID"="Flash"
"IsInstalled"=hex:01,00,00,00
"Version"="9.0.28.0"
"Locale"="EN"
[Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
@="Guida HTML"
"ComponentID"="HTMLHelp"
"IsInstalled"=dword:00000001
"Locale"="*"
"Version"="4,74,9273,0"
[Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]
@="Active Directory Service Interface"
"ComponentID"="ADSI"
"IsInstalled"=hex:01,00,00,00
"Locale"="EN"
"Version"="5,0,00,0"
[Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}]
@="Q832894"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1400"
"ComponentID"="Q832894"
[Installed Components\{F2D2B58B-B2FD-46D1-8319-DCE564079934}]
@=".NET Framework"
"ComponentID"=".NETFramework"
"Version"="1,0,4322,0"
"Locale"=""
[Installed Components\{f5173cf0-1dfb-4978-8e50-a90169ee7ca9}]
@="Q823353"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1450"
"ComponentID"="Q823353"
-------------Comparing registry keys CCS1 vs CCS2 -------------
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services
Result compared: Identical
-------------Comparing registry keys CCS1 vs CCS3 -------------
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Dhcp\Configurations\\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Dhcp\Parameters {E8E81CDF-F4EB-4ACA-9F34-70DDD1119A1D} REG_BINARY 0F000000000000000000000000000000DAEF3846F9000000000000000000000000000000DAEF384601000000000000000000000000000000DAEF38462B000000000000000000000000000000DAEF38462C000000000000000000000000000000DAEF384606000000000000000000000000000000DAEF3846
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Dhcp\Parameters {E8E81CDF-F4EB-4ACA-9F34-70DDD1119A1D} REG_BINARY 0F00000000000000000000000000000027113346F90000000000000000000000000000002711334601000000000000000000000000000000271133462B000000000000000000000000000000271133462C000000000000000000000000000000271133460600000000000000000000000000000027113346
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\MsiInstaller EventMessageFile REG_SZ C:\WINDOWS\system32\msi.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\MsiInstaller EventMessageFile REG_SZ C:\WINDOWS\System32\msi.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT EventMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ c:\windows\system32\ESENT.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\ESENT CategoryMessageFile REG_EXPAND_SZ C:\WINDOWS\system32\ESENT.dll
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Eventlog\Application\MsiInstaller EventMessageFile REG_SZ C:\WINDOWS\system32\msi.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Application\MsiInstaller EventMessageFile REG_SZ C:\WINDOWS\System32\msi.dll
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\Eventlog\Security\Spooler
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\HTTP\Parameters\
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\HTTP\Parameters\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\lanmanserver\parameters Guid REG_BINARY 4976B42B999D00469EB676E49DF67B88
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\lanmanserver\parameters Guid REG_BINARY 78498EBECF2A3647A022E0F7960C30CC
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\MRxDAV\EncryptedDirectories
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\NdisWan\Parameters\\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\pwalker
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess Start REG_DWORD 2 (0x2)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\SharedAccess Start REG_DWORD 4 (0x4)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 14070 (0x36F6)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\SharedAccess\Epoch Epoch REG_DWORD 13993 (0x36A9)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\SharedAccess\Parameters\\
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\sr Start REG_DWORD 0 (0x0)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\sr Start REG_DWORD 4 (0x4)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\sr ImagePath REG_EXPAND_SZ System32\DRIVERS\sr.sys
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\sr ImagePath REG_EXPAND_SZ \SystemRoot\System32\DRIVERS\sr.sys
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\sr\Parameters FirstRun REG_DWORD 0 (0x0)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\sr\Parameters FirstRun REG_DWORD 1 (0x1)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\W32Time\TimeProviders\NtpClient SpecialPollTimeRemaining REG_MULTI_SZ time.windows.com,7a492bb\0\0\0\0\0\0\0\0\0\0\0\0
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\W32Time\TimeProviders\NtpClient SpecialPollTimeRemaining REG_MULTI_SZ time.windows.com,7a47471\0\0\0\0\0\0\0\0\0\0\0\0
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\wuauserv Start REG_DWORD 2 (0x2)
> Value: HKEY_LOCAL_MACHINE\system\controlset003\services\wuauserv Start REG_DWORD 4 (0x4)
Result compared: Different
------------- Hosts File -------------
------------- Scheduled tasks -------------
31/08/2001 14.00.00 -H-R 2070 days old -- desktop.ini
28/04/2006 16.43.25 A--- 0369 days old -- FRU Task #Hewlett-Packard#hp psc 1100 series#1127560573.job
02/05/2007 22.36.09 AH-- 0000 days old -- SA.DAT
02/05/2007 22.36.09 A--- 0000 days old -- rpo.job
-------------List of running services -------------
000) "ALG" - Servizio Gateway di livello applicazione
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\alg.exe
---> SIZE = 44,544 bytes
001) "AudioSrv" - Audio Windows
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
002) "Browser" - Browser di computer
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
003) "cisvc" - Servizio di indicizzazione
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\cisvc.exe
---> SIZE = 5,632 bytes
004) "CryptSvc" - Servizi di crittografia
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
005) "DcomLaunch" - Utilità di avvio processo server DCOM
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost -k DcomLaunch
---> SIZE = 14,336 bytes
006) "Dhcp" - Client DHCP
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
007) "dmserver" - Gestione dischi logici
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
008) "Dnscache" - Client DNS
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k NetworkService
---> SIZE = 14,336 bytes
009) "ERSvc" - Servizio di segnalazione errori
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
010) "Eventlog" - Registro eventi
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\services.exe
---> SIZE = 108,544 bytes
011) "EventSystem" - Sistema di eventi COM+
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
012) "FastUserSwitchingCompatibility" - Compatibilità di Cambio rapido utente
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
013) "helpsvc" - Guida in linea e supporto tecnico
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
014) "HidServ" - HID Input Service
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
015) "Irmon" - Monitor infrarossi
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
016) "lanmanserver" - Server
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
017) "lanmanworkstation" - Workstation
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
018) "LmHosts" - Helper NetBIOS di TCP/IP
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\svchost.exe -k LocalService
---> SIZE = 14,336 bytes
019) "Netman" - Connessioni di rete
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
020) "Nla" - NLA (Network Location Awareness)
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
021) "PlugPlay" - Plug and Play
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\services.exe
---> SIZE = 108,544 bytes
022) "PolicyAgent" - Servizi IPSEC
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\System32\lsass.exe
---> SIZE = 13,312 bytes
023) "ProtectedStorage" - Archiviazione protetta
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\lsass.exe
---> SIZE = 13,312 bytes
024) "RasMan" - Connection Manager di Accesso remoto
---> STAT = (RUNNING) Started manually
---> FILE = C:\WINDOWS\System32\svchost.exe -k netsvcs
---> SIZE = 14,336 bytes
025) "RemoteRegistry" - Registro di sistema remoto
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS\system32\svchost.exe -k LocalService
---> SIZE = 14,336 bytes
026) "RpcSs" - RPC (Remote Procedure Call)
---> STAT = (RUNNING) Started automatically
---> FILE = C:\WINDOWS |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 02 Mag 2007 23:29 Oggetto: |
|
|
non copiare qui i log troppo lunghi, il forum si intasa e i log vengono tagliati. Caricali su www.easy-share.com e incolla qui solo il link ai file |
|
Top |
|
|
Rei Eroe
Registrato: 27/04/07 14:10 Messaggi: 75
|
Inviato: 03 Mag 2007 13:10 Oggetto: |
|
|
non sono ancora riuscita a caricare i log perchè mi dice "non si dispone delle necessarie autorizzazioni"... penso sia un problema di internet visto che ieri qualche log l'avevo caricato.. riproverò
a presto spero |
|
Top |
|
|
Rei Eroe
Registrato: 27/04/07 14:10 Messaggi: 75
|
Inviato: 03 Mag 2007 20:09 Oggetto: link a nuovi log |
|
|
ok ce l'ho fatta
ecco i link:
http://w13.easy-share.com/1051860.html
http://w13.easy-share.com/1051869.html
scusate ancora per l'intasamentento del forum
adesso mi manca da eseguire gmer, ierisera non ho fatto in tempo, a un'ora indecente era sempre lì che lavorava...ma cosa dovrei spuntare dato che non importa "show all"? files? system?
grazie, |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 03 Mag 2007 21:29 Oggetto: |
|
|
apparentemente il log di Systemscan è pulito, cancella solo questo:
c:\windows\tasks\rpo.job
per il log di GMER, avvialo, clicca su ROOTKIT, non selezionare alcuna opzione e fai la scansione |
|
Top |
|
|
Rei Eroe
Registrato: 27/04/07 14:10 Messaggi: 75
|
Inviato: 03 Mag 2007 21:38 Oggetto: |
|
|
ti chiedo scusa in anticipo per la mia ignoranza
io ho avviato gmer, ho cliccato su rootkit ed ho deselezionato tutte le caselle- resta il check solo su C e D- ma cliccando su scan mi dice "gmer hasn't found any system modification"
dove sto sbagliando? |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 03 Mag 2007 21:53 Oggetto: |
|
|
non devi toccare nulla, solo aprirlo e cliccare su SCAN |
|
Top |
|
|
|
|
Non puoi inserire nuovi argomenti Non puoi rispondere a nessun argomento Non puoi modificare i tuoi messaggi Non puoi cancellare i tuoi messaggi Non puoi votare nei sondaggi
|
|