MegaLab.it

############################## | FindyKill V5.043 |

# User : Administrator (Administrators) # PC-X
# Update on 12/05/2010 by El Desaparecido
# Start at: 19.30.55 | 13/05/2010
# Website : http://pagesperso-orange.fr/NosTools/index.html
# Contact : FindyKill.Contact@gmail.com

# AMD Athlon(tm) 64 Processor 3700+
# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.0.5730.13
# Windows Firewall Status : Enabled

# A:\ # Disco floppy, 3,5 pollici
# C:\ # Disco rigido locale # 189,91 Go (23,68 Go free) # NTFS
# D:\ # Disco CD-ROM # 582,87 Mo (0 Mo free) [TheFrozenThrone] # CDFS
# G:\ # Disco rimovibile # 1,86 Go (1,86 Go free) [SEBBA] # FAT32

################## | Infected File |

(!) Not Deleted ! D:\autorun.inf
Deleted ! C:\WINDOWS\mdelk.exe
Deleted ! C:\WINDOWS\wintems.exe
Deleted ! C:\WINDOWS\system32\srosa2.sys
Deleted ! C:\WINDOWS\system32\wfsintwq.sys
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\drivers\downld
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\drivers\winupgro.exe
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\drivers
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\downloads.bak
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\downloads.txt
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\AC_BootstrapIPs.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\AC_SearchStrings.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\AC_ServerMetURLs.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\cancelled.met
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\clients.met
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\clients.met.bak
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\cryptkey.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\emfriends.met
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\key_index.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\known.met
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\known2_64.met
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\load_index.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\nodes.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\preferences.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\preferences.ini
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\preferencesKad.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\server.met
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\server_met.old
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\shareddir.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\src_index.dat
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\statistics.ini
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config\StoredSearches.met
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\config
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\file.exe
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\flec003.exe
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\flec005.exe
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\Incoming
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\lang
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\names.txt
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\server.txt
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\skins
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\Temp
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\WDIR
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires\webserver
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\hidires
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\m\data.oct
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\m\flec006.exe
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\m\list.oct
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\m\shared
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\m\srvlist.oct
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\m

################## | Reference of comparaison Bagle MD5 : |

File : C:\Documents and Settings\Administrator\Dati applicazioni\drivers\winupgro.exe
-> Crc32 : a0b81118 | Md5 : 78d1be8c9bc5c994556a7d9ff34e7f41


################## | MD5 ... |

Deleted ! "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
-> Size : 1065472 | Crc32 : a0b81118 | Md5 : 78d1be8c9bc5c994556a7d9ff34e7f41


################## | CRC32 ... |


################## | Registry |

Deleted ! [HKLM\SYSTEM\ControlSet002\Services\sK9Ou0s]
Deleted ! [HKLM\SYSTEM\ControlSet002\Services\srosa]
Deleted ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S]
Deleted ! [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
Deleted ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA]
Deleted ! [HKCU\Software\bisoft]
Deleted ! [HKCU\Software\DateTime4]
Deleted ! [HKCU\Software\MuleAppData]
Deleted ! [HKCU\Software\WS4001]
Deleted ! [HKCR\ed2k]
Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"
Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "german.exe"
Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "mule_st_key"
Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "flec003.exe"
Deleted ! [HKCU\Software\Local AppWizard-Generated Applications\winupgro]

################## | State |

# Safe boot mode restored !

# Showing of hidden files : OK

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 2 ( Good = 2 | Bad = 4 )
# Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )

################## | Corrupted Files |

Corrupted : C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[Offset = 000000EC - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\avadmin.exe
[Offset = 000000FC - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\avcenter.exe
[Offset = 0000010C - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\avconfig.exe
[Offset = 00000104 - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
[Offset = 0000010C - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\avguard.exe
[Offset = 00000104 - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\avnotify.exe
[Offset = 000000F4 - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\avscan.exe
[Offset = 000000FC - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\guardgui.exe
[Offset = 000000F4 - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\licmgr.exe
[Offset = 00000104 - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\sched.exe
[Offset = 0000010C - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\update.exe
[Offset = 000000F4 - Value = 0x0001]

Corrupted : C:\Programmi\Avira\AntiVir Desktop\wsctool.exe
[Offset = 000000FC - Value = 0x0001]

Corrupted : C:\Programmi\Sygate\SPF\Smc.exe
[Offset = 0000011C - Value = 0x0001]

Corrupted : G:\ComboFix.exe
[Offset = 000000EC - Value = 0x0001]


################## | Upload |

Please send the file : C:\FindyKill_Upload_Me_PC-X.zip : http://chiquitine.changelog.fr/Sample/Upload.php
Thank you for your contribution .

################## | End of Report # FindyKill V5.043 ! |

ComboFix 10-05-13.01 - Administrator 13/05/2010 19.56.35.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1719 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\eMule\lang\ar_AE.dll
c:\programmi\eMule\lang\ba_BA.dll
c:\programmi\eMule\lang\bg_BG.dll
c:\programmi\eMule\lang\ca_ES.dll
c:\programmi\eMule\lang\cz_CZ.dll
c:\programmi\eMule\lang\da_DK.dll
c:\programmi\eMule\lang\de_DE.dll
c:\programmi\eMule\lang\el_GR.dll
c:\programmi\eMule\lang\es_AS.dll
c:\programmi\eMule\lang\es_ES_T.dll
c:\programmi\eMule\lang\et_EE.dll
c:\programmi\eMule\lang\fa_IR.dll
c:\programmi\eMule\lang\fi_FI.dll
c:\programmi\eMule\lang\fr_BR.dll
c:\programmi\eMule\lang\fr_FR.dll
c:\programmi\eMule\lang\gl_ES.dll
c:\programmi\eMule\lang\he_IL.dll
c:\programmi\eMule\lang\hu_HU.dll
c:\programmi\eMule\lang\it_IT.dll
c:\programmi\eMule\lang\jp_JP.dll
c:\programmi\eMule\lang\ko_KR.dll
c:\programmi\eMule\lang\lt_LT.dll
c:\programmi\eMule\lang\lv_LV.dll
c:\programmi\eMule\lang\mt_MT.dll
c:\programmi\eMule\lang\nb_NO.dll
c:\programmi\eMule\lang\nl_NL.dll
c:\programmi\eMule\lang\nn_NO.dll
c:\programmi\eMule\lang\pl_PL.dll
c:\programmi\eMule\lang\pt_BR.dll
c:\programmi\eMule\lang\pt_PT.dll
c:\programmi\eMule\lang\ro_RO.dll
c:\programmi\eMule\lang\ru_RU.dll
c:\programmi\eMule\lang\sl_SI.dll
c:\programmi\eMule\lang\sq_AL.dll
c:\programmi\eMule\lang\sv_SE.dll
c:\programmi\eMule\lang\tr_TR.dll
c:\programmi\eMule\lang\ua_UA.dll
c:\programmi\eMule\lang\ug_CN.dll
c:\programmi\eMule\lang\va_ES.dll
c:\programmi\eMule\lang\va_ES_RACV.dll
c:\programmi\eMule\lang\vi_VN.dll
c:\programmi\eMule\lang\zh_CN.dll
c:\programmi\eMule\lang\zh_TW.dll
c:\windows\system32\mswmpdat.tlb

.
((((((((((((((((((((((((( Files Creati Da 2010-04-13 al 2010-05-13 )))))))))))))))))))))))))))))))))))
.

2010-05-13 17:36 . 2010-05-13 17:36 1704 ----a-w- C:\FindyKill_Upload_Me_PC-X.zip
2010-05-13 17:26 . 2010-05-13 17:38 -------- d-----w- C:\FyK
2010-05-13 14:35 . 2010-05-13 14:35 -------- d-----w- c:\programmi\CCleaner
2010-05-11 20:17 . 2010-05-11 20:17 2157 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-05-11 20:16 . 2010-05-11 20:16 2095 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\.purple\certificates\x509\tls_peers\login.live.com
2010-05-06 18:58 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-16 21:12 . 2010-04-16 21:12 2145 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\.purple\certificates\x509\tls_peers\ows.messenger.msn.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 17:42 . 2001-08-31 17:00 80268 ----a-w- c:\windows\system32\perfc010.dat
2010-05-13 17:42 . 2001-08-31 17:00 481664 ----a-w- c:\windows\system32\perfh010.dat
2010-05-13 17:32 . 2009-12-17 21:12 -------- d-----w- c:\programmi\Microsoft ActiveSync
2010-05-12 14:28 . 2009-04-27 11:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2010-05-11 21:46 . 2009-05-01 16:46 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\.purple
2010-05-11 16:30 . 2009-11-02 13:34 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\vlc
2010-05-06 18:58 . 2009-05-13 17:09 -------- d-----w- c:\programmi\Java
2010-04-26 22:28 . 2009-05-01 10:01 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Skype
2010-04-26 22:27 . 2009-05-01 10:05 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\skypePM
2010-04-16 18:19 . 2009-09-04 15:16 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Hamachi
2010-04-07 22:15 . 2009-04-27 11:25 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-04-07 22:12 . 2010-01-04 22:46 -------- d-----w- c:\programmi\Crayon Physics Deluxe
2010-04-07 21:55 . 2009-06-09 20:16 -------- d-----w- c:\programmi\Steam
2010-04-07 21:55 . 2010-04-07 21:55 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Ubisoft
2010-04-05 10:03 . 2009-05-06 12:47 -------- d-----w- c:\programmi\eMule
2010-04-01 22:46 . 2010-04-01 22:46 2165 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2010-03-30 20:09 . 2010-03-30 20:09 503808 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e1bbc79-n\msvcp71.dll
2010-03-30 20:09 . 2010-03-30 20:09 499712 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e1bbc79-n\jmc.dll
2010-03-30 20:09 . 2010-03-30 20:09 348160 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e1bbc79-n\msvcr71.dll
2010-03-30 20:09 . 2010-03-30 20:09 61440 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ede646c-n\decora-sse.dll
2010-03-30 20:09 . 2010-03-30 20:09 12800 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ede646c-n\decora-d3d.dll
2010-03-30 20:09 . 2010-03-30 20:09 -------- d-----w- c:\programmi\File comuni\Java
2010-03-11 12:30 . 2008-03-01 12:58 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:30 . 2008-05-08 00:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:30 . 2008-05-08 00:13 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-13 17:13 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2008-04-13 10:17 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 18:07 . 2009-04-29 12:34 75408 ----a-w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-17 12:05 . 2008-05-08 00:48 2193664 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:05 . 2008-04-13 16:55 2070528 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2008-05-08 . 56F7866726C75C66167714D61CE84344 . 689152 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2008-05-08 . 94A1A243EF6861D230F31C86CDFDE756 . 486912 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-05-08 . 12F0333CC7253C3C8FB1DB2DA4E24C95 . 1504256 . . [6.00.2900.5512] . . c:\windows\explorer.exe


[-] 2008-05-08 . CB4D4167C8F11342F5A1684BDD6B7B16 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2008-05-08 . 7F4C43F75EBF781352DB3B5EF6BF8230 . 40448 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe


c:\windows\System32\wscntfy.exe ... è mancante !!
c:\windows\System32\regsvc.dll ... è mancante !!
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2010-05-13 209153]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-05-08 40448]
"LClock"="c:\windows\Resources\VistaStyle\LClock\LClock.exe" [2008-05-08 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2010-03-11 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^Ritaglio schermata e avvio di OneNote 2007.lnk]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\Ritaglio schermata e avvio di OneNote 2007.lnk
backup=c:\windows\pss\Ritaglio schermata e avvio di OneNote 2007.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^TrayMin315.exe.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\TrayMin315.exe.lnk
backup=c:\windows\pss\TrayMin315.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2004-06-09 13:37 40960 ----a-w- c:\windows\VM_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
2003-08-19 09:01 57344 ----a-w- c:\programmi\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 Tetri5;Tetri5 driver;c:\windows\system32\drivers\Tetri5.sys [09/12/2009 1.28.45 53088]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21/07/2009 0.07.30 721904]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\Avira\AntiVir Desktop\sched.exe [27/04/2009 14.07.40 108289]
S3 ESLvnic1;ESLvnic Virtual Network 32 Bit;c:\windows\system32\drivers\ESLvnic.sys [07/09/2009 23.33.01 23512]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\IMPOST~1\Temp\EUJ2D.tmp c:\docume~1\ADMINI~1\IMPOST~1\Temp\EUJ2D.tmp
.
Contenuto della cartella 'Scheduled Tasks'

2010-05-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-20 21:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://google.mini20.com
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {33A6EB94-9A44-4A27-B619-11967E66EDB6} = 192.168.1.1
TCP: {62C8C5A7-4CAE-4ED8-B1CA-D6365BAEBDD9} = 85.37.17.16
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\vq0wcmfe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
HKLM-Run-SmcService - c:\progra~1\Sygate\SPF\smc.exe
SSODL-UpdateCheck-{79C97C5E-2628-44BE-AF32-9BE3C006E865} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 19:59
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\IMPOST~1\Temp\EUJ2D.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\SETUPAPI.dll
.
Ora fine scansione: 2010-05-13 20:00:30
ComboFix-quarantined-files.txt 2010-05-13 18:00

Pre-Run: 25.338.417.152 byte disponibili
Post-Run: 25.334.550.528 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 79DAABF007E1793A23AA2D82A847D9D2