ComboFix 08-11-04.02 - Administrator 2008-11-05 12.16.06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1416 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\nlehkckga_navfx.dat
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Windows Live\Messenger\MsnMsgr.exe
c:\windows\BM374d1177.txt
c:\windows\BM374d1177.xml
c:\windows\cookies.ini
c:\windows\pskt.ini
c:\windows\system32\artbvrlm.ini
c:\windows\system32\biveceko.ini
c:\windows\system32\iluhwkyx.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mvmjmjgq.ini
c:\windows\system32\nvs2.inf
c:\windows\system32\vrwrnccf.ini
d:\recycler\Desktop.ini
d:\recycler\Folder.htt
d:\recycler\Protect.ed
d:\recycler\Warning.bmp
.
((((((((((((((((((((((((( Files Creati Da 2008-10-05 al 2008-11-05 )))))))))))))))))))))))))))))))))))
.
2008-11-05 12:11 . 2008-11-05 12:11 <DIR> d-------- C:\pincopallino
2008-11-05 11:29 . 2008-11-05 11:46 <DIR> d-------- c:\programmi\FindyKill
2008-11-05 10:09 . 2008-11-05 10:08 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-05 09:52 . 2008-11-05 09:52 <DIR> d-------- c:\programmi\CDex_150
2008-11-04 16:44 . 2008-11-04 16:44 <DIR> d-------- c:\programmi\ARWizard3
2008-11-02 12:30 . 2008-11-02 12:30 50 --a------ c:\windows\cdplayer.ini
2008-10-31 09:41 . 2008-10-31 09:41 <DIR> d--h----- C:\Nuova cartella
2008-10-24 10:04 . 2008-10-24 10:04 65 --a------ c:\windows\FISHUI.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 09:08 --------- d-----w c:\programmi\Java
2008-11-05 08:06 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\TeamViewer
2008-10-30 11:12 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\uTorrent
2008-10-24 08:53 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\DataCast
2008-10-03 13:48 --------- d-----w c:\programmi\Look@LAN
2008-10-02 07:06 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Skype
2008-10-01 11:10 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\TVU Networks
2008-09-22 06:57 --------- d-----w c:\programmi\CCleaner
2008-09-22 06:52 --------- d-----w c:\programmi\Winamp
2008-09-20 12:03 --------- d-----w c:\programmi\Samsung
2008-09-20 11:39 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-09-20 11:39 --------- d-----w c:\programmi\MarkAny
2008-09-17 15:23 --------- d-----w c:\programmi\TOSHIBA
2008-09-17 15:19 --------- d-----w c:\programmi\TOSHIBA Viewer V2
2008-09-17 08:58 --------- d-----w c:\programmi\Winamp Toolbar
2008-09-17 08:58 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Winamp Toolbar
2008-09-16 10:41 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Cogniview
2008-09-16 10:41 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Cogniview
2008-09-15 13:43 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-09-11 14:39 --------- d-----w c:\programmi\SkyStoneACD
2008-09-11 14:31 --------- d-----w c:\programmi\SkyStone
2008-09-10 13:38 --------- d-----w c:\programmi\3CX Phone
2008-09-10 13:38 --------- d-----w c:\programmi\3CX
2008-05-16 09:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008051620080517\index.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\programmi\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]
"{f4035115-6152-4901-a81d-f4e0a0479615}"= "c:\programmi\ilcorsaronero\tbilco.dll" [2008-07-27 1606680]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CLASSES_ROOT\clsid\{f4035115-6152-4901-a81d-f4e0a0479615}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4035115-6152-4901-a81d-f4e0a0479615}]
2008-07-27 20:11 1606680 --a------ c:\programmi\ilcorsaronero\tbilco.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f4035115-6152-4901-a81d-f4e0a0479615}"= "c:\programmi\ilcorsaronero\tbilco.dll" [2008-07-27 1606680]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F4035115-6152-4901-A81D-F4E0A0479615}"= "c:\programmi\ilcorsaronero\tbilco.dll" [2008-07-27 1606680]
[HKEY_CLASSES_ROOT\clsid\{f4035115-6152-4901-a81d-f4e0a0479615}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DeskSpace"="c:\programmi\DeskSpace\deskspace.exe" [2007-09-18 1066496]
"LClock"="c:\programmi\LClock\LClock.exe" [2004-09-19 65536]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1211176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-11-05 136600]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"Cpqset"="c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"SynTPStart"="c:\programmi\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-05 78008]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-05-27 413696]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\windows\system32\config\systemprofile\Menu Avvio\Programmi\Esecuzione automatica\
CCC.lnk - c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 49152]
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
CCC.lnk - c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-21 03:52 1211176 c:\progra~1\MI3AA1~1\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2007-01-29 20:10 46632 c:\programmi\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 10:13 267048 c:\programmi\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\programmi\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 08:03 210472 c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 00:02 36352 c:\programmi\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\Look@LAN\\LookAtLan.exe"=
"c:\\Programmi\\DNA\\btdna.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\GlobalSCAPE\\CuteFTP 7 Professional\\ftpte.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2008-04-14 14336]
R2 Dnscache;Client DNS;c:\windows\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter;c:\programmi\Java\jre6\bin\jqs.exe [2008-11-05 152984]
R2 pdfcDispatcher;PDF Document Manager;c:\programmi\PDF Complete\pdfsvc.exe [2007-05-08 540448]
R2 WILPAR;Wordcraft Parallel Driver;c:\windows\system32\Drivers\WILPAR.SYS [2001-12-14 14096]
S1 sK9Ou0s;sK9Ou0s;c:\windows\system32\drivers\srosa2.sys [ ]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [ ]
S3 USBSTOR;Driver archiviazione di massa USB;c:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a8c0956-a724-11dd-a07a-001a4b85ce53}]
\Shell\AutoRun\command - WD_Windows_Tools\Setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {09258F12-48E7-B18E-C414-1F48C215685F} /qb
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
- - - - ORFÃOS REMOVIDOS - - - -
HKCU-Run-MsnMsgr - c:\programmi\Windows Live\Messenger\MsnMsgr.Exe
Notify-ddcbbcc - (no file)
.
------- Supplementare di scansione -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\6j9eo9ge.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
www.google.itFF -: plugin - c:\programmi\DNA\plugins\npbtdna.dll
FF -: plugin - c:\programmi\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-05 12:20:52
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe? ??????????T??????????????|?M?|?????M?|&?@
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pdfcDispatcher]
"ImagePath"="c:\programmi\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2008-11-05 12:29:06 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-11-05 11:29:03
Pre-Run: 118.878.216.192 byte disponibili
Post-Run: 119,054,491,648 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
221 --- E O F --- 2008-07-23 13:38:26