Excessive activity after Trojan Zlob.G removal

Hi,

I am experiencing a huge activity by the two processes

ZCfgSvc.exe
iFrmewrk.exe

This happened after the removal of the Trojan Zlob.G performed yesterday with your support.
Do you have any idea about this issue?

Pietro Centoletti

Please post a new Hijack This.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.29.10, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programmi\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080529-0018\soffice.exe
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\tmp\HiJack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.it/8SEITIT020600TBR/InstallTBSite
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Programmi\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SODCPreLoad] C:\Programmi\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080529-0018\preload.exe C:\Programmi\IBM\Lotus\Symphony\data\.sodc\
O4 - HKLM\..\Run: [TradeManager] C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe
O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Programmi\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &MSN Search - res://C:\Programmi\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\MSN Toolbar Suite\it-it\msntabres.dll.mui/230?f50c01e484784d0cb9f752d118c384fd
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\MSN Toolbar Suite\it-it\msntabres.dll.mui/229?f50c01e484784d0cb9f752d118c384fd
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{56E97172-F53E-4B5B-9397-5DD9C9613F4C}: NameServer = 151.99.125.1,151.99.0.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2976041-F1D1-4C9D-8248-EE30BC6DC966}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programmi\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9738 bytes

Lets see what CF has to say.

• Download combofix from here, use the top links - combofix.exe
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 08-12-09.03 - Pietro Centoletti 2008-12-11 19.49.33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1357 [GMT 1:00]
Eseguito da: c:\tmp\ComboFix.exe
.

((((((((((((((((((((((((( Files Creati Da 2008-11-11 al 2008-12-11 )))))))))))))))))))))))))))))))))))
.

2008-12-10 23:40 . 2008-12-10 23:40 d-------- c:\programmi\Java
2008-12-10 23:40 . 2008-12-10 23:40 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-10 23:40 . 2008-12-10 23:40 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-10 22:49 . 2008-12-10 22:49 d-------- C:\_OTMoveIt
2008-12-10 20:52 . 2008-12-10 20:52 1,152 --a------ c:\windows\system32\windrv.sys
2008-12-10 18:22 . 2008-12-10 19:30 d-a------ c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-12-10 16:49 . 2008-12-10 16:49 d-------- c:\programmi\Enigma Software Group
2008-12-10 16:10 . 2008-12-10 16:48 d-------- c:\documents and settings\Pietro Centoletti\Dati applicazioni\SUPERAntiSpyware.com
2008-12-10 16:10 . 2008-12-10 16:10 d-------- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-11-23 11:46 . 2008-11-23 11:47 d-------- C:\Misc
2008-11-12 07:07 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 07:06 . 2008-09-04 18:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 14:02 51,716 ----a-w c:\windows\system32\pdf995mon.dll
2008-12-11 14:02 249,856 ----a-w c:\windows\system32\pdfmona.dll
2008-12-11 08:49 --------- d-----w c:\programmi\Mozilla Thunderbird
2008-12-10 19:16 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\Skype
2008-12-10 17:05 --------- d-----w c:\programmi\InterVideo
2008-12-10 17:04 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\skypePM
2008-12-10 15:48 --------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2008-12-05 11:43 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\pdf995
2008-11-13 12:36 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\FileZilla
2008-11-12 07:55 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\AdobeUM
2008-11-12 07:49 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-12 07:49 --------- d-----w c:\programmi\File comuni\InterVideo
2008-11-06 07:32 90,632 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-11-05 13:05 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\InterVideo
2008-10-30 06:40 98,440 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:35 8,552 ----a-w c:\windows\system32\drivers\asctrm.sys
2008-10-23 10:14 --------- d-----w c:\programmi\Skype
2008-10-23 07:39 --------- d-----w c:\programmi\File comuni\Real
2008-10-23 07:16 --------- d-----w c:\programmi\Alibaba
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:24 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-07-22 07:27 608 --sha-w c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-10_22.20.51,79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-17 06:11:46 124,520 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-10 22:38:03 124,520 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2005-11-10 09:27:06 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-12-10 22:40:06 144,792 ----a-w c:\windows\system32\java.exe
- 2005-11-10 09:27:16 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-10 22:40:06 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 11:03:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-10 22:40:06 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-10 19:16:53 9,264 ----a-w c:\windows\system32\msqtvcap.dat
+ 2008-12-11 17:31:35 9,264 ----a-w c:\windows\system32\msqtvcap.dat
- 2008-07-10 16:41:52 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ps5ui.dll
+ 2008-12-11 14:02:20 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ps5ui.dll
- 2008-07-10 16:41:52 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ui5.DLL
+ 2008-12-11 14:02:20 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ui5.DLL
- 2008-07-10 16:41:52 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pscript5-32.dll
+ 2008-12-11 14:02:20 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pscript5-32.dll
- 2008-07-10 16:41:52 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ps5ui.dll
+ 2008-12-11 14:02:20 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ps5ui.dll
- 2008-07-10 16:41:50 218,816 ----a-w c:\windows\system32\spool\drivers\w32x86\Pdf995ui.dll
+ 2008-12-11 14:02:17 218,816 ----a-w c:\windows\system32\spool\drivers\w32x86\Pdf995ui.dll
- 2008-07-10 16:41:52 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ui5.DLL
+ 2008-12-11 14:02:20 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ui5.DLL
- 2008-07-10 16:41:50 225,648 ----a-w c:\windows\system32\spool\drivers\w32x86\Pscript.dll
+ 2008-12-11 14:02:17 225,648 ----a-w c:\windows\system32\spool\drivers\w32x86\Pscript.dll
- 2008-07-10 16:41:52 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\pscript5-32.dll
+ 2008-12-11 14:02:20 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\pscript5-32.dll
+ 2008-12-11 17:30:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_278.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"TOSCDSPD"="c:\programmi\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 65536]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-06-03 21718312]
"updateMgr"="c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TradeManager"="c:\progra~1\Alibaba\TRADEM~1\TradeManager -hideframe" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"THotkey"="c:\programmi\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"Tvs"="c:\programmi\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\programmi\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"SODCPreLoad"="c:\programmi\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080529-0018\preload.exe" [2008-07-09 40960]
"RealTray"="c:\programmi\Real\RealPlayer\RealPlay.exe" [2008-10-23 26112]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-10 136600]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-04 c:\windows\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
InterVideo WinCinema Manager.lnk - c:\programmi\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-09-15 200704]
Windows Desktop Search.lnk - c:\programmi\Windows Desktop Search\WindowsSearch.exe [2006-03-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.jcl.desktop.win32.x86_6.2.0.200805061024\\jre\\bin\\expeditorw.exe"=
"c:\\OrCAD\\OrCAD_10.3i\\tools\\bin\\cdsMsgServer.exe"=
"c:\\OrCAD\\OrCAD_10.3i\\tools\\bin\\cdsNameServer.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-07-09 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-09 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-09 90632]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-24 874776]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-09 231704]
R3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-09-18 7040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-11 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\programmi\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementare di scansione -------
.
uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = hxxp://g.msn.it/8SEITIT020600TBR/InstallTBSite
uSearchURL,(Default) = hxxp://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
IE: &MSN Search - c:\programmi\MSN Toolbar Suite\msntb.dll/search.htm
IE: Apri in nuova scheda in primo piano - c:\programmi\MSN Toolbar Suite\it-it\msntabres.dll.mui/230?f50c01e484784d0cb9f752d118c384fd
IE: Apri in nuova scheda in secondo piano - c:\programmi\MSN Toolbar Suite\it-it\msntabres.dll.mui/229?f50c01e484784d0cb9f752d118c384fd
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {56E97172-F53E-4B5B-9397-5DD9C9613F4C} = 151.99.125.1,151.99.0.100
TCP: {D2976041-F1D1-4C9D-8248-EE30BC6DC966} = 151.99.125.1,151.99.0.100
FireFox -: Profile - c:\documents and settings\Pietro Centoletti\Dati applicazioni\Mozilla\Firefox\Profiles\pduw15ky.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.it/
FF -: plugin - c:\programmi\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 19:50:53
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ASCTRM]
"ImagePath"="\??\c:\windows\system32"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\avgrsstx.dll
.
Ora fine scansione: 2008-12-11 19.51.40
ComboFix-quarantined-files.txt 2008-12-11 18:51:31
ComboFix2.txt 2008-12-10 21:22:16

Pre-Run: 176.410.464.256 byte disponibili
Post-Run: 176,405,286,912 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

210 --- E O F --- 2008-11-12 13:20:10

Now the two processes are not running. Is it helpful for your analysis?

Hello.
Log looks clean.

Delete this folder:
C:\_OTMoveIt

OK.

Anything elseto perform?. I would like to reboot the machine to see if all is working fine

Hello.
Is this a different machine from the last thread? CF is showing an old presence of Java on the machine.

No it is the same. I performed the installation of the JVM as you indicated me yesterday. Anyway after the reboot the twoo processes are running again. They take betwen 48% and 62% of the CPU usage

Hello.
They are (I'm assuming) for your wireless connection.

O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

See the two files names are the one's you are pointing out.

Those are the two processes that are consuming my CPU time

Hello.
We can easily kill them at startup, but then your net connection may not work.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
  O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  
• Reboot your machine and see if your net connection still works.
  

If net connection doesn't work.

• Open HijackThis
  
• Choose "View list of backups"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
  O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
  
  
  
• Press "Restore"
  
• Close Hijack This.
  
• Reboot your machine again.
  

Hi,

excuse me for the delay. It did not work. I had to restore the two boxes.
Now I need to stop for two hours. I have a meeting for house problems. Let
us update after or tomorrow.

After rebooting if I manually stop the two processes allis working. I mean , also the Internet connectivity is up after stopping the two processes

Good.
Does the machine seem faster now it's stopped eating the processor?

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.