Ciao, Crazy Cat, ecco la scansione con combofix. Faccio presente che nell'installarlo kanspersky ha rilevato un troyan ho dovuto permettergli d'installarlo. Ecco il log:ComboFix 09-04-28.03 - Administrator 29/04/2009 14.48.08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.991.616 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
AV: Panda Antivirus + Firewall 2007 *On-access scanning enabled* (Updated)
FW: Panda Antivirus 2007 Personal Firewall *enabled*
* Creato nuovo punto di ripristino
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\ppcwaa.dat
c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\ppcwaa_nav.dat
c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\ppcwaa_navps.dat
c:\documents and settings\Administrator\Menu Avvio\Programmi\InternetGameBox
c:\documents and settings\Administrator\Menu Avvio\Programmi\InternetGameBox\Conditions générales.lnk
c:\documents and settings\Administrator\Menu Avvio\Programmi\InternetGameBox\Confidentialité.lnk
c:\documents and settings\Administrator\Menu Avvio\Programmi\InternetGameBox\InternetGameBox.lnk
c:\documents and settings\Administrator\Menu Avvio\Programmi\InternetGameBox\Website.lnk
C:\InfoSat.txt
.
((((((((((((((((((((((((( Files Creati Da 2009-05-28 al 2009-4-29 )))))))))))))))))))))))))))))))))))
.
2009-04-25 18:02 . 2009-04-25 18:02 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\AVS4YOU
2009-04-25 18:02 . 2009-04-25 18:02 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\AVS4YOU
2009-04-25 18:00 . 2009-04-25 18:14 -------- d-----w c:\programmi\File comuni\AVSMedia
2009-04-25 18:00 . 2009-01-28 18:49 24576 ----a-w c:\windows\system32\msxml3a.dll
2009-04-25 18:00 . 2009-04-25 18:14 -------- d-----w c:\programmi\AVS4YOU
2009-04-13 22:47 . 2009-04-13 22:47 -------- d-----w c:\programmi\YouTube Downloader
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 12:51 . 2008-02-13 22:54 811040 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-29 12:51 . 2008-02-13 22:54 79172 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-29 12:51 . 2008-02-13 22:54 194444 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-29 12:51 . 2008-02-13 22:54 14126368 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-16 13:29 . 2008-03-25 12:41 -------- d-----w c:\programmi\Malwarebytes' Anti-Malware
2009-04-11 14:41 . 2009-01-26 18:14 -------- d-----w c:\programmi\eMule
2009-04-06 13:32 . 2008-08-29 15:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 . 2008-05-28 18:29 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-29 14:05 . 2001-08-31 11:00 53748 ----a-w c:\windows\system32\perfc010.dat
2009-03-29 14:05 . 2001-08-31 11:00 405924 ----a-w c:\windows\system32\perfh010.dat
2009-03-27 22:32 . 2009-02-15 14:21 -------- d-----w c:\programmi\SUPERAntiSpyware
2009-03-06 19:28 . 2007-12-20 10:19 -------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2009-02-17 18:27 . 2009-02-17 18:27 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-02-07 19:53 . 2008-01-29 17:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-02-07 19:53 . 2008-02-13 22:54 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-07 19:53 . 2008-02-13 22:54 101287 ----a-w c:\windows\system32\drivers\klin.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
"SUPERAntiSpyware"="c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-27 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DAEMON Tools-1033"="c:\programmi\D-Tools\daemon.exe" [2004-08-22 81920]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-02-07 201992]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-03-01 577536]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-10-31 163840]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w c:\programmi\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Documents and Settings\\All Users\\Dati applicazioni\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Italian\\setup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R1 ShldDrv;Panda File Shield Driver; [x]
R2 PavProc;Panda Process Protection Driver; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\programmi\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
R3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w300mgmt.sys [2006-03-13 87824]
R3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w300obex.sys [2006-03-13 85696]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-02-07 33808]
S1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-27 9968]
S1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
WebBrowser-{8E41E543-E069-4197-8608-E8B4C2F75747} - (no file)
.
------- Scansione supplementare -------
.
uStart Page =
hxxp://www.libero.it/IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\sp7ewb9c.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.yahoo.it/FF - component: c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\sp7ewb9c.default\extensions\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}\components\FFAlert.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-29 14:52
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(824)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\klogon.dll
- - - - - - - > 'explorer.exe'(2976)
c:\progra~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\MSI.DLL
c:\programmi\File comuni\Microsoft Shared\Web Components\10\1040\OWCI10.DLL
c:\windows\system32\shdoclc.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\wdfmgr.exe
c:\programmi\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2009-04-29 14.55.06 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-04-29 12:55
Pre-Run: 64.545.968.128 byte disponibili
Post-Run: 64.562.614.272 byte disponibili
152