Ho un'infezione rilevata da Combifix chi mi aiuta con log
Inviato: ven set 18, 2009 7:34 am
da giovannino60
Su un pc con windows 2000 ho fatto scansionare da Combofix il log mi da un infezione cosa posso fare per eliminarla, grazie. Allego anche log MBAM.
Log MBAM
ComboFix 09-09-13.05 - Administrator 16/09/2009 14.52.15.7.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.39.1040.18.480.306 [GMT 2:00]
Eseguito da: c:\antivi~1\Combofix\ComboFix.exe
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\system32\comres.dll . . . è infetto!!
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OREANS32
-------\Service_oreans32
((((((((((((((((((((((((( Files Creati Da 2009-08-16 al 2009-09-16 )))))))))))))))))))))))))))))))))))
.
2009-09-16 13:02 . 2009-09-16 13:02 16384 -c--atw- c:\winnt\system32\Perflib_Perfdata_4b4.dat
2009-09-16 13:02 . 2009-09-16 13:02 16384 -c--atw- c:\winnt\system32\Perflib_Perfdata_20c.dat
2009-09-16 13:02 . 2009-09-16 13:02 16384 -c--atw- c:\winnt\system32\Perflib_Perfdata_23c.dat
2009-09-16 13:02 . 2009-09-16 13:02 0 -c--atw- c:\winnt\system32\Perflib_Perfdata_260.dat
2009-09-15 12:17 . 2009-09-15 14:35 -------- dc----w- c:\winnt\system32\Lavan
2009-09-14 05:53 . 2009-09-14 05:53 33952 -c--a-w- c:\winnt\system32\drivers\oreans32.sys
2009-09-14 05:49 . 2009-03-24 00:03 214 -c--a-w- c:\winnt\system32\edit.BAT
2009-09-14 05:49 . 2005-11-06 13:18 24064 -c--a-w- c:\winnt\system32\devcheck.exe
2009-09-14 05:49 . 2009-03-24 22:52 796112 -c--a-w- c:\winnt\system32\updater32.exe
2009-09-14 05:49 . 2005-11-06 13:18 29696 -c--a-w- c:\winnt\system32\Libparse.exe
2009-09-13 21:13 . 2009-09-13 21:13 7163936 -c--a-w- C:\SUPERAntiSpyware.exe
2009-09-13 21:04 . 2009-09-13 21:14 -------- dc----w- c:\programmi\SUPERAntiSpyware
2009-09-13 18:07 . 2009-09-13 18:48 -------- dc----w- c:\programmi\File comuni\Wise Installation Wizard
2009-09-08 13:11 . 2009-09-08 13:11 -------- dc----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-09-08 13:11 . 2009-08-03 11:36 38160 -c--a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-08 13:11 . 2009-09-08 13:15 -------- dc----w- c:\programmi\Malwarebytes' Anti-Malware
2009-09-08 13:11 . 2009-09-08 13:11 -------- dc----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-09-08 13:11 . 2009-08-03 11:36 18456 -c--a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-07 13:18 . 2009-09-07 13:18 -------- dc----w- c:\documents and settings\Administrator\Dati applicazioni\TeamViewer
2009-09-07 13:17 . 2009-09-07 13:17 -------- dc----w- c:\documents and settings\Administrator\temp
2009-09-07 12:52 . 2009-09-07 12:52 -------- dc----w- C:\Assistenza remota
2009-09-06 17:55 . 2009-09-06 17:55 -------- dc----w- c:\programmi\Lavalys
2009-09-06 13:04 . 2006-02-14 14:18 32768 -c--a-w- c:\winnt\system32\drivers\sisnic2k.sys
2009-09-06 13:04 . 2009-09-06 13:04 -------- dc----w- C:\Scheda di rete SIS 900
2009-09-01 17:37 . 2003-06-19 10:05 22768 -c--a-w- c:\winnt\system32\dllcache\usbser.sys
2009-09-01 17:36 . 1999-12-22 20:11 17584 -c--a-w- c:\winnt\system32\dllcache\sermouse.sys
2009-09-01 17:35 . 1999-12-22 20:06 29072 -c--a-w- c:\winnt\system32\dllcache\ntepc.sys
2009-09-01 17:34 . 1999-11-06 03:23 9488 -c--a-w- c:\winnt\system32\dllcache\mraid35x.sys
2009-09-01 17:33 . 1999-12-22 20:01 27184 -c--a-w- c:\winnt\system32\dllcache\lanepic5.sys
2009-09-01 17:33 . 1999-12-22 20:56 18192 -c--a-w- c:\winnt\system32\dllcache\kousd.dll
2009-09-01 17:33 . 1999-12-22 20:58 20240 -c--a-w- c:\winnt\system32\dllcache\kod2x0.dll
2009-09-01 17:33 . 1999-12-22 20:58 17680 -c--a-w- c:\winnt\system32\dllcache\kdusd.dll
2009-09-01 17:33 . 1999-12-22 20:56 8464 -c--a-w- c:\winnt\system32\dllcache\kbdkor.dll
2009-09-01 17:33 . 1999-12-22 20:56 8976 -c--a-w- c:\winnt\system32\dllcache\kbdjpn.dll
2009-09-01 17:33 . 1999-12-22 20:00 13776 -c--a-w- c:\winnt\system32\dllcache\kbdhid.sys
2009-09-01 17:33 . 1999-12-22 20:56 7440 -c--a-w- c:\winnt\system32\dllcache\kbd106.dll
2009-09-01 17:33 . 1999-12-22 20:56 6928 -c--a-w- c:\winnt\system32\dllcache\kbd101c.dll
2009-09-01 17:33 . 1999-12-22 20:56 6416 -c--a-w- c:\winnt\system32\dllcache\kbd103.dll
2009-09-01 17:33 . 1999-12-22 20:56 6416 -c--a-w- c:\winnt\system32\dllcache\kbd101b.dll
2009-09-01 17:33 . 2003-06-19 10:05 9968 -c--a-w- c:\winnt\system32\dllcache\jvcmc.sys
2009-09-01 17:33 . 1999-12-22 20:58 45840 -c--a-w- c:\winnt\system32\dllcache\iyuv_32.dll
2009-09-01 17:31 . 1999-12-22 19:56 16112 -c--a-w- c:\winnt\system32\dllcache\gpr400.sys
2009-09-01 17:30 . 1999-12-22 19:55 227664 -c--a-w- c:\winnt\system32\dllcache\es56pci.sys
2009-09-01 17:29 . 1999-12-22 19:50 25360 -c--a-w- c:\winnt\system32\dllcache\cem56n5.sys
2009-09-01 17:28 . 2003-06-19 10:05 64432 -c--a-w- c:\winnt\system32\dllcache\adpu160m.sys
2009-09-01 17:28 . 1999-09-25 01:16 36368 -c--a-w- c:\winnt\system32\dllcache\adptsf50.sys
2009-09-01 17:24 . 1999-09-25 01:17 17712 -c--a-w- c:\winnt\system32\dllcache\tsbmce.sys
2009-09-01 17:23 . 1999-12-22 20:58 107792 -c--a-w- c:\winnt\system32\dllcache\digidbp.dll
2009-09-01 17:23 . 1999-12-22 20:56 13072 -c--a-w- c:\winnt\system32\dllcache\dspimg32.dll
2009-09-01 17:23 . 1999-12-22 20:56 7440 -c--a-w- c:\winnt\system32\dllcache\dr3020.dll
2009-09-01 17:23 . 1999-09-25 01:17 23216 -c--a-w- c:\winnt\system32\dllcache\dlh5xnd5.sys
2009-09-01 17:23 . 1999-10-12 21:35 31888 -c--a-w- c:\winnt\system32\dllcache\brzwlan.sys
2009-09-01 17:23 . 1999-09-30 21:03 39680 -c--a-w- c:\winnt\system32\dllcache\cb325.sys
2009-09-01 17:23 . 1999-12-22 20:55 7440 -c--a-w- c:\winnt\system32\dllcache\af450.dll
2009-09-01 17:23 . 1999-10-21 21:09 42192 -c--a-w- c:\winnt\system32\dllcache\atibt829.sys
2009-09-01 17:23 . 1999-10-21 21:09 16976 -c--a-w- c:\winnt\system32\dllcache\atitvsnd.sys
2009-09-01 17:23 . 1999-09-25 01:16 17168 -c--a-w- c:\winnt\system32\dllcache\amb8002.sys
2009-09-01 17:18 . 2003-06-19 10:05 10928 -c--a-w- c:\winnt\system32\dllcache\4mmdat.sys
2009-09-01 17:18 . 1999-12-22 20:57 92432 -c--a-w- c:\winnt\system32\dllcache\acq32.dll
2009-09-01 17:18 . 1999-12-22 20:57 38320 -c--a-w- c:\winnt\system32\dllcache\8514a.dll
2009-09-01 17:18 . 1999-11-01 22:42 801072 -c--a-w- c:\winnt\system32\dllcache\3cpciadi.sys
2009-09-01 17:18 . 2003-06-19 10:05 40752 -c--a-w- c:\winnt\system32\dllcache\1394bus.sys
2009-09-01 17:18 . 1999-10-07 21:29 22992 -c--a-w- c:\winnt\system32\dllcache\15_16wdm.sys
2009-09-01 17:18 . 1999-09-25 05:55 792176 -c--a-w- c:\winnt\system32\dllcache\3cisaadi.sys
2009-09-01 17:18 . 1999-09-25 05:55 774928 -c--a-w- c:\winnt\system32\dllcache\3cisati.sys
2009-09-01 17:18 . 1999-09-25 05:55 763024 -c--a-w- c:\winnt\system32\dllcache\3cwmcru.sys
2009-08-29 16:16 . 2009-08-29 16:16 -------- dc----w- C:\VundoFix Backups
2009-08-17 17:26 . 2008-04-13 10:07 519374 -csha-r- C:\hhnehs.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 21:14 . 2008-08-05 17:54 -------- dc----w- c:\documents and settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com
2009-09-06 18:01 . 2009-01-29 18:47 664 -c--a-w- c:\winnt\system32\d3d9caps.dat
2009-09-06 13:26 . 2004-05-08 20:26 -------- dc-h--w- c:\programmi\InstallShield Installation Information
2009-08-29 06:53 . 2008-05-03 21:56 -------- dc--a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-08-15 13:52 . 2009-08-15 13:52 0 -c--a-w- c:\winnt\nsreg.dat
2009-08-15 13:39 . 2009-08-15 13:39 7868464 -c--a-w- C:\Firefox Setup 3.5.2.exe
2009-08-15 01:02 . 2008-01-25 13:23 -------- dc----w- c:\programmi\XoftSpySE
2004-05-08 19:48 . 2004-05-08 19:48 22075 -c-h--w- c:\programmi\folder.htt
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 68856]
"SUPERAntiSpyware"="c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\winnt\system32\sistray.EXE" [2001-10-11 319488]
"SiS KHooker"="c:\winnt\system32\khooker.exe" [2001-12-13 290816]
"SiS7012Utility"="c:\winnt\system32\SiSAudUt.exe" [2001-11-21 294912]
"Multimedir KBD"="c:\programmi\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe" [2001-11-27 1212416]
"MemoREX"="c:\progra~1\MemoRex\MemoRexStart.exe" [2003-07-29 332288]
"Privacy"="c:\programmi\pfw\pfw.exe" [2002-01-23 1126400]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2004-05-09 77824]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-05-25 148888]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-26 111376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" - c:\winnt\system32\internat.exe [2003-06-26 20752]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\programmi\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-26 188176]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2008-1-9 212992]
HP Digital Imaging Monitor.lnk - c:\programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
msupdate.exe [2007-10-8 2478080]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 -c--a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll
R?2 jacfnjp;Driver Task;c:\winnt\system32\svchost.exe -k netsvcs [26/06/2003 14.00.00 7952]
R?2 yhmgmcq;Support Helper;c:\winnt\system32\svchost.exe -k netsvcs [26/06/2003 14.00.00 7952]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [05/08/2008 16.53.02 114768]
R1 oreans32;oreans32;c:\winnt\system32\drivers\oreans32.sys [14/09/2009 7.53.18 33952]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 14.50.00 9968]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 14.49.58 74480]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [05/08/2008 16.53.02 20560]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [05/08/2008 16.53.02 93296]
R2 cpwnt;cpwnt;c:\winnt\system32\drivers\Cpwnt.sys [09/05/2004 9.21.48 21824]
R2 eusk2par;EUTRON SmartKey Parallel Driver;c:\winnt\system32\drivers\eusk2par.sys [29/09/2006 18.37.26 16695]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\winnt\system32\drivers\ntspppoe.sys [09/01/2008 20.38.18 161640]
R3 openhci;Driver controller host USB Open Microsoft ;c:\winnt\system32\drivers\openhci.sys [26/06/2003 14.00.00 24784]
R3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 14.50.02 7408]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [08/05/2004 22.00.04 165760]
R3 SISNIC2K;SiS PCI Fast Ethernet Adapter Driver for NDIS5;c:\winnt\system32\drivers\sisnic2k.sys [06/09/2009 15.04.28 32768]
S2 CPUSB;CPUsb.Sys driver;c:\winnt\system32\drivers\CPUSB.sys [04/02/2005 9.37.01 17080]
S2 Microsoft PowerPoint Application;Microsoft PowerPoint Application;"c:\winnt\system32\dllcache\winppa.exe" c:\winnt\system32\dllcache\winppa.exe
S2 PPPoEService;PPPoE Service;c:\progra~1\Alice\ALICEE~1\app\pppoeservice.exe [09/01/2008 20.38.27 49152]
S3 NTSTPL1;NTSTPL1;c:\progra~1\Alice\ALICEE~1\app\NTSTPL1.SYS [09/01/2008 20.38.27 16096]
S3 RAWESR;RAWESR;c:\progra~1\Alice\ALICEE~1\app\RAWESR.SYS [09/01/2008 20.38.26 12924]
S3 Slnt7554;USB Soft Modem Driver;c:\winnt\system32\drivers\slnt7554.sys [09/08/2006 15.28.19 205080]
S3 TAPBIND;TAPBIND;c:\progra~1\Alice\ALICEE~1\app\TAPBIND1.SYS [07/12/2006 18.31.44 44544]
S3 usb_rndisy;USB RNDIS Adapter;c:\winnt\system32\drivers\usb8023y.sys [29/11/2005 14.58.14 14336]
S3 V90drv;v90drv;c:\winnt\system32\drivers\v90drv.sys [09/08/2006 15.28.20 1266592]
--- Altri Servizi/Drivers In Memoria ---
*NewlyCreated* - OREANS32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gfqkd
pvwlxwhs
jxigky
lueanqqiv
jacfnjp
yhmgmcq
.
Contenuto della cartella 'Scheduled Tasks'
2009-08-29 c:\winnt\Tasks\XoftSpySE 2.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2008-01-25 16:34]
2009-08-15 c:\winnt\Tasks\XoftSpySE.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2008-01-25 16:34]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://virgilio.alice.it/indexbb.html
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.alice.it/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\c95j22zs.default\
FF - prefs.js: browser.startup.homepage - http:/alice.it
FF - plugin: c:\progra~1\MOZILL~1\plugins\npnul32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPOJI610.dll
.
.
------- Associazioni dei file -------
.
exefile=c:\documents and settings\all users\menu avvio\programmi\esecuzione automatica\msupdate.exe "%1 %*"
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
BHO-{45FDC90F-49F6-4119-8605-003140779B91} - (no file)
BHO-{7321D151-F956-4C57-8BC8-5893AC2C63F8} - (no file)
HKLM-Run-HPUsageTracking - c:\programmi\Hewlett-Packard\HP UT\bin\hppusg.exe
HKU-Default-Run-Windows Networking Monitoring - c:\winnt\system32\mdm.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 15:03
Windows 5.0.2195 Service Pack 4 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000020
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000013
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(188)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'explorer.exe'(1764)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\OLEACC.dll
c:\winnt\system32\SHDOCVW.DLL
.
Ora fine scansione: 2009-09-16 15.09.41 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-09-16 13:09
ComboFix2.txt 2009-09-13 20:49
Pre-Run: 12.842.901.504 byte disponibili
Post-Run: 12.857.720.832 byte disponibili
269
Microsoft Windows 2000 Professional 5.0.2195.4.1252.39.1040.18.480.306 [GMT 2:00]
Eseguito da: c:\antivi~1\Combofix\ComboFix.exe
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\system32\comres.dll . . . è infetto!!
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OREANS32
-------\Service_oreans32
((((((((((((((((((((((((( Files Creati Da 2009-08-16 al 2009-09-16 )))))))))))))))))))))))))))))))))))
.
2009-09-16 13:02 . 2009-09-16 13:02 16384 -c--atw- c:\winnt\system32\Perflib_Perfdata_4b4.dat
2009-09-16 13:02 . 2009-09-16 13:02 16384 -c--atw- c:\winnt\system32\Perflib_Perfdata_20c.dat
2009-09-16 13:02 . 2009-09-16 13:02 16384 -c--atw- c:\winnt\system32\Perflib_Perfdata_23c.dat
2009-09-16 13:02 . 2009-09-16 13:02 0 -c--atw- c:\winnt\system32\Perflib_Perfdata_260.dat
2009-09-15 12:17 . 2009-09-15 14:35 -------- dc----w- c:\winnt\system32\Lavan
2009-09-14 05:53 . 2009-09-14 05:53 33952 -c--a-w- c:\winnt\system32\drivers\oreans32.sys
2009-09-14 05:49 . 2009-03-24 00:03 214 -c--a-w- c:\winnt\system32\edit.BAT
2009-09-14 05:49 . 2005-11-06 13:18 24064 -c--a-w- c:\winnt\system32\devcheck.exe
2009-09-14 05:49 . 2009-03-24 22:52 796112 -c--a-w- c:\winnt\system32\updater32.exe
2009-09-14 05:49 . 2005-11-06 13:18 29696 -c--a-w- c:\winnt\system32\Libparse.exe
2009-09-13 21:13 . 2009-09-13 21:13 7163936 -c--a-w- C:\SUPERAntiSpyware.exe
2009-09-13 21:04 . 2009-09-13 21:14 -------- dc----w- c:\programmi\SUPERAntiSpyware
2009-09-13 18:07 . 2009-09-13 18:48 -------- dc----w- c:\programmi\File comuni\Wise Installation Wizard
2009-09-08 13:11 . 2009-09-08 13:11 -------- dc----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-09-08 13:11 . 2009-08-03 11:36 38160 -c--a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-08 13:11 . 2009-09-08 13:15 -------- dc----w- c:\programmi\Malwarebytes' Anti-Malware
2009-09-08 13:11 . 2009-09-08 13:11 -------- dc----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-09-08 13:11 . 2009-08-03 11:36 18456 -c--a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-07 13:18 . 2009-09-07 13:18 -------- dc----w- c:\documents and settings\Administrator\Dati applicazioni\TeamViewer
2009-09-07 13:17 . 2009-09-07 13:17 -------- dc----w- c:\documents and settings\Administrator\temp
2009-09-07 12:52 . 2009-09-07 12:52 -------- dc----w- C:\Assistenza remota
2009-09-06 17:55 . 2009-09-06 17:55 -------- dc----w- c:\programmi\Lavalys
2009-09-06 13:04 . 2006-02-14 14:18 32768 -c--a-w- c:\winnt\system32\drivers\sisnic2k.sys
2009-09-06 13:04 . 2009-09-06 13:04 -------- dc----w- C:\Scheda di rete SIS 900
2009-09-01 17:37 . 2003-06-19 10:05 22768 -c--a-w- c:\winnt\system32\dllcache\usbser.sys
2009-09-01 17:36 . 1999-12-22 20:11 17584 -c--a-w- c:\winnt\system32\dllcache\sermouse.sys
2009-09-01 17:35 . 1999-12-22 20:06 29072 -c--a-w- c:\winnt\system32\dllcache\ntepc.sys
2009-09-01 17:34 . 1999-11-06 03:23 9488 -c--a-w- c:\winnt\system32\dllcache\mraid35x.sys
2009-09-01 17:33 . 1999-12-22 20:01 27184 -c--a-w- c:\winnt\system32\dllcache\lanepic5.sys
2009-09-01 17:33 . 1999-12-22 20:56 18192 -c--a-w- c:\winnt\system32\dllcache\kousd.dll
2009-09-01 17:33 . 1999-12-22 20:58 20240 -c--a-w- c:\winnt\system32\dllcache\kod2x0.dll
2009-09-01 17:33 . 1999-12-22 20:58 17680 -c--a-w- c:\winnt\system32\dllcache\kdusd.dll
2009-09-01 17:33 . 1999-12-22 20:56 8464 -c--a-w- c:\winnt\system32\dllcache\kbdkor.dll
2009-09-01 17:33 . 1999-12-22 20:56 8976 -c--a-w- c:\winnt\system32\dllcache\kbdjpn.dll
2009-09-01 17:33 . 1999-12-22 20:00 13776 -c--a-w- c:\winnt\system32\dllcache\kbdhid.sys
2009-09-01 17:33 . 1999-12-22 20:56 7440 -c--a-w- c:\winnt\system32\dllcache\kbd106.dll
2009-09-01 17:33 . 1999-12-22 20:56 6928 -c--a-w- c:\winnt\system32\dllcache\kbd101c.dll
2009-09-01 17:33 . 1999-12-22 20:56 6416 -c--a-w- c:\winnt\system32\dllcache\kbd103.dll
2009-09-01 17:33 . 1999-12-22 20:56 6416 -c--a-w- c:\winnt\system32\dllcache\kbd101b.dll
2009-09-01 17:33 . 2003-06-19 10:05 9968 -c--a-w- c:\winnt\system32\dllcache\jvcmc.sys
2009-09-01 17:33 . 1999-12-22 20:58 45840 -c--a-w- c:\winnt\system32\dllcache\iyuv_32.dll
2009-09-01 17:31 . 1999-12-22 19:56 16112 -c--a-w- c:\winnt\system32\dllcache\gpr400.sys
2009-09-01 17:30 . 1999-12-22 19:55 227664 -c--a-w- c:\winnt\system32\dllcache\es56pci.sys
2009-09-01 17:29 . 1999-12-22 19:50 25360 -c--a-w- c:\winnt\system32\dllcache\cem56n5.sys
2009-09-01 17:28 . 2003-06-19 10:05 64432 -c--a-w- c:\winnt\system32\dllcache\adpu160m.sys
2009-09-01 17:28 . 1999-09-25 01:16 36368 -c--a-w- c:\winnt\system32\dllcache\adptsf50.sys
2009-09-01 17:24 . 1999-09-25 01:17 17712 -c--a-w- c:\winnt\system32\dllcache\tsbmce.sys
2009-09-01 17:23 . 1999-12-22 20:58 107792 -c--a-w- c:\winnt\system32\dllcache\digidbp.dll
2009-09-01 17:23 . 1999-12-22 20:56 13072 -c--a-w- c:\winnt\system32\dllcache\dspimg32.dll
2009-09-01 17:23 . 1999-12-22 20:56 7440 -c--a-w- c:\winnt\system32\dllcache\dr3020.dll
2009-09-01 17:23 . 1999-09-25 01:17 23216 -c--a-w- c:\winnt\system32\dllcache\dlh5xnd5.sys
2009-09-01 17:23 . 1999-10-12 21:35 31888 -c--a-w- c:\winnt\system32\dllcache\brzwlan.sys
2009-09-01 17:23 . 1999-09-30 21:03 39680 -c--a-w- c:\winnt\system32\dllcache\cb325.sys
2009-09-01 17:23 . 1999-12-22 20:55 7440 -c--a-w- c:\winnt\system32\dllcache\af450.dll
2009-09-01 17:23 . 1999-10-21 21:09 42192 -c--a-w- c:\winnt\system32\dllcache\atibt829.sys
2009-09-01 17:23 . 1999-10-21 21:09 16976 -c--a-w- c:\winnt\system32\dllcache\atitvsnd.sys
2009-09-01 17:23 . 1999-09-25 01:16 17168 -c--a-w- c:\winnt\system32\dllcache\amb8002.sys
2009-09-01 17:18 . 2003-06-19 10:05 10928 -c--a-w- c:\winnt\system32\dllcache\4mmdat.sys
2009-09-01 17:18 . 1999-12-22 20:57 92432 -c--a-w- c:\winnt\system32\dllcache\acq32.dll
2009-09-01 17:18 . 1999-12-22 20:57 38320 -c--a-w- c:\winnt\system32\dllcache\8514a.dll
2009-09-01 17:18 . 1999-11-01 22:42 801072 -c--a-w- c:\winnt\system32\dllcache\3cpciadi.sys
2009-09-01 17:18 . 2003-06-19 10:05 40752 -c--a-w- c:\winnt\system32\dllcache\1394bus.sys
2009-09-01 17:18 . 1999-10-07 21:29 22992 -c--a-w- c:\winnt\system32\dllcache\15_16wdm.sys
2009-09-01 17:18 . 1999-09-25 05:55 792176 -c--a-w- c:\winnt\system32\dllcache\3cisaadi.sys
2009-09-01 17:18 . 1999-09-25 05:55 774928 -c--a-w- c:\winnt\system32\dllcache\3cisati.sys
2009-09-01 17:18 . 1999-09-25 05:55 763024 -c--a-w- c:\winnt\system32\dllcache\3cwmcru.sys
2009-08-29 16:16 . 2009-08-29 16:16 -------- dc----w- C:\VundoFix Backups
2009-08-17 17:26 . 2008-04-13 10:07 519374 -csha-r- C:\hhnehs.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 21:14 . 2008-08-05 17:54 -------- dc----w- c:\documents and settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com
2009-09-06 18:01 . 2009-01-29 18:47 664 -c--a-w- c:\winnt\system32\d3d9caps.dat
2009-09-06 13:26 . 2004-05-08 20:26 -------- dc-h--w- c:\programmi\InstallShield Installation Information
2009-08-29 06:53 . 2008-05-03 21:56 -------- dc--a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-08-15 13:52 . 2009-08-15 13:52 0 -c--a-w- c:\winnt\nsreg.dat
2009-08-15 13:39 . 2009-08-15 13:39 7868464 -c--a-w- C:\Firefox Setup 3.5.2.exe
2009-08-15 01:02 . 2008-01-25 13:23 -------- dc----w- c:\programmi\XoftSpySE
2004-05-08 19:48 . 2004-05-08 19:48 22075 -c-h--w- c:\programmi\folder.htt
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 68856]
"SUPERAntiSpyware"="c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\winnt\system32\sistray.EXE" [2001-10-11 319488]
"SiS KHooker"="c:\winnt\system32\khooker.exe" [2001-12-13 290816]
"SiS7012Utility"="c:\winnt\system32\SiSAudUt.exe" [2001-11-21 294912]
"Multimedir KBD"="c:\programmi\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe" [2001-11-27 1212416]
"MemoREX"="c:\progra~1\MemoRex\MemoRexStart.exe" [2003-07-29 332288]
"Privacy"="c:\programmi\pfw\pfw.exe" [2002-01-23 1126400]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2004-05-09 77824]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-05-25 148888]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-26 111376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" - c:\winnt\system32\internat.exe [2003-06-26 20752]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\programmi\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-26 188176]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2008-1-9 212992]
HP Digital Imaging Monitor.lnk - c:\programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
msupdate.exe [2007-10-8 2478080]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 -c--a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll
R?2 jacfnjp;Driver Task;c:\winnt\system32\svchost.exe -k netsvcs [26/06/2003 14.00.00 7952]
R?2 yhmgmcq;Support Helper;c:\winnt\system32\svchost.exe -k netsvcs [26/06/2003 14.00.00 7952]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [05/08/2008 16.53.02 114768]
R1 oreans32;oreans32;c:\winnt\system32\drivers\oreans32.sys [14/09/2009 7.53.18 33952]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 14.50.00 9968]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 14.49.58 74480]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [05/08/2008 16.53.02 20560]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [05/08/2008 16.53.02 93296]
R2 cpwnt;cpwnt;c:\winnt\system32\drivers\Cpwnt.sys [09/05/2004 9.21.48 21824]
R2 eusk2par;EUTRON SmartKey Parallel Driver;c:\winnt\system32\drivers\eusk2par.sys [29/09/2006 18.37.26 16695]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\winnt\system32\drivers\ntspppoe.sys [09/01/2008 20.38.18 161640]
R3 openhci;Driver controller host USB Open Microsoft ;c:\winnt\system32\drivers\openhci.sys [26/06/2003 14.00.00 24784]
R3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 14.50.02 7408]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [08/05/2004 22.00.04 165760]
R3 SISNIC2K;SiS PCI Fast Ethernet Adapter Driver for NDIS5;c:\winnt\system32\drivers\sisnic2k.sys [06/09/2009 15.04.28 32768]
S2 CPUSB;CPUsb.Sys driver;c:\winnt\system32\drivers\CPUSB.sys [04/02/2005 9.37.01 17080]
S2 Microsoft PowerPoint Application;Microsoft PowerPoint Application;"c:\winnt\system32\dllcache\winppa.exe" c:\winnt\system32\dllcache\winppa.exe
S2 PPPoEService;PPPoE Service;c:\progra~1\Alice\ALICEE~1\app\pppoeservice.exe [09/01/2008 20.38.27 49152]
S3 NTSTPL1;NTSTPL1;c:\progra~1\Alice\ALICEE~1\app\NTSTPL1.SYS [09/01/2008 20.38.27 16096]
S3 RAWESR;RAWESR;c:\progra~1\Alice\ALICEE~1\app\RAWESR.SYS [09/01/2008 20.38.26 12924]
S3 Slnt7554;USB Soft Modem Driver;c:\winnt\system32\drivers\slnt7554.sys [09/08/2006 15.28.19 205080]
S3 TAPBIND;TAPBIND;c:\progra~1\Alice\ALICEE~1\app\TAPBIND1.SYS [07/12/2006 18.31.44 44544]
S3 usb_rndisy;USB RNDIS Adapter;c:\winnt\system32\drivers\usb8023y.sys [29/11/2005 14.58.14 14336]
S3 V90drv;v90drv;c:\winnt\system32\drivers\v90drv.sys [09/08/2006 15.28.20 1266592]
--- Altri Servizi/Drivers In Memoria ---
*NewlyCreated* - OREANS32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gfqkd
pvwlxwhs
jxigky
lueanqqiv
jacfnjp
yhmgmcq
.
Contenuto della cartella 'Scheduled Tasks'
2009-08-29 c:\winnt\Tasks\XoftSpySE 2.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2008-01-25 16:34]
2009-08-15 c:\winnt\Tasks\XoftSpySE.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2008-01-25 16:34]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://virgilio.alice.it/indexbb.html
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.alice.it/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\c95j22zs.default\
FF - prefs.js: browser.startup.homepage - http:/alice.it
FF - plugin: c:\progra~1\MOZILL~1\plugins\npnul32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\programmi\Java\jre1.5.0_16\bin\NPOJI610.dll
.
.
------- Associazioni dei file -------
.
exefile=c:\documents and settings\all users\menu avvio\programmi\esecuzione automatica\msupdate.exe "%1 %*"
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
BHO-{45FDC90F-49F6-4119-8605-003140779B91} - (no file)
BHO-{7321D151-F956-4C57-8BC8-5893AC2C63F8} - (no file)
HKLM-Run-HPUsageTracking - c:\programmi\Hewlett-Packard\HP UT\bin\hppusg.exe
HKU-Default-Run-Windows Networking Monitoring - c:\winnt\system32\mdm.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 15:03
Windows 5.0.2195 Service Pack 4 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000020
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-776561741-1220945662-725345543-500\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000013
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(188)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'explorer.exe'(1764)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\OLEACC.dll
c:\winnt\system32\SHDOCVW.DLL
.
Ora fine scansione: 2009-09-16 15.09.41 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-09-16 13:09
ComboFix2.txt 2009-09-13 20:49
Pre-Run: 12.842.901.504 byte disponibili
Post-Run: 12.857.720.832 byte disponibili
269
Log MBAM
Malwarebytes' Anti-Malware 1.40
Versione del database: 2766
Windows 5.0.2195 Service Pack 4
16/09/2009 19.58.57
mbam-log-2009-09-16 (19-58-57).txt
Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 183672
Tempo trascorso: 1 hour(s), 1 minute(s), 1 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 1
Cartelle infette: 0
File infetti: 1
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (c:\documents and settings\all users\menu avvio\programmi\esecuzione automatica\msupdate.exe "%1 %*") Good: ("%1" %*) -> Quarantined and deleted successfully.
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\WINNT\system32\drivers\oreans32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Versione del database: 2766
Windows 5.0.2195 Service Pack 4
16/09/2009 19.58.57
mbam-log-2009-09-16 (19-58-57).txt
Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 183672
Tempo trascorso: 1 hour(s), 1 minute(s), 1 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 1
Cartelle infette: 0
File infetti: 1
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (c:\documents and settings\all users\menu avvio\programmi\esecuzione automatica\msupdate.exe "%1 %*") Good: ("%1" %*) -> Quarantined and deleted successfully.
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\WINNT\system32\drivers\oreans32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.