ComboFix 09-05-26.05 - Armando 28/05/2009 14.14.42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.479.170 [GMT 2:00]
Eseguito da: E:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\3.cmd
C:\Autorun.inf
C:\boyedt.com
C:\e2.cmd
C:\fbak.exe
C:\g1ljsm.com
C:\hkn6k.bat
C:\icxpa.cmd
C:\j.cmd
C:\lad.bat
C:\MS32DLL.dll.vbs
C:\mt.bat
C:\nu.cmd
C:\ukvr.bat
C:\w.com
c:\windows\MS32DLL.dll.vbs
c:\windows\system32\FTPx.dll
c:\windows\system32\instFunc.dll
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\olhrwef.exe
C:\xh319r9b.bat
C:\ysep1.exe
.
((((((((((((((((((((((((( Files Creati Da 2009-04-28 al 2009-05-28 )))))))))))))))))))))))))))))))))))
.
2009-05-28 11:22 . 2009-05-28 11:22 34 ----a-w c:\windows\system32\BD2030.DAT
2009-05-28 09:33 . 2009-05-28 09:39 -------- d-----w c:\programmi\FinalUninstaller
2009-05-28 09:33 . 2009-05-28 09:33 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Martau
2009-05-28 09:33 . 2009-05-28 09:33 -------- d-----w c:\programmi\Total Uninstall 5
2009-05-26 14:31 . 2009-05-06 18:06 4784464 ----a-w c:\documents and settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Definition Updates\{C65D2649-F7F8-4672-B577-2C38357DB3A6}\mpengine.dll
2009-05-26 14:09 . 2009-05-27 15:11 105980 --sh--r C:\2a.exe
2009-05-25 08:41 . 2009-05-25 08:41 106104 --sh--r C:\n68mqcra.exe
2009-05-11 09:19 . 2009-05-11 09:19 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage
2009-05-08 07:17 . 2009-05-06 18:06 4784464 ----a-w c:\documents and settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2009-05-08 07:16 . 2009-05-08 07:16 -------- d-----w c:\programmi\Windows Defender
2009-05-07 11:42 . 2008-10-16 12:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-05 09:14 . 2001-08-17 19:56 7552 -c--a-w c:\windows\system32\dllcache\sonypvu1.sys
2009-05-05 09:14 . 2001-08-17 19:56 7552 ----a-w c:\windows\system32\drivers\SONYPVU1.SYS
2009-04-30 09:51 . 2008-04-13 18:45 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-04-28 17:33 . 2009-04-28 17:33 -------- d-----w c:\documents and settings\Armando\Impostazioni locali\Dati applicazioni\Identities
2009-04-28 17:15 . 2009-04-29 10:39 -------- d-----w c:\programmi\IKEA HomePlanner
2009-04-28 17:14 . 2009-05-07 09:38 -------- d-----w c:\programmi\File comuni\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 08:55 . 2009-04-28 09:03 -------- d-----w c:\documents and settings\Armando\Dati applicazioni\Canon
2009-05-08 07:16 . 2009-04-27 14:44 18240 ----a-w c:\documents and settings\Armando\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-05-08 07:08 . 2004-08-19 12:00 510464 ----a-w c:\windows\system32\winlogon.exe
2009-04-29 08:53 . 2004-08-19 12:00 48790 ----a-w c:\windows\system32\perfc010.dat
2009-04-29 08:53 . 2004-08-19 12:00 348238 ----a-w c:\windows\system32\perfh010.dat
2009-04-28 09:21 . 2009-04-28 09:21 -------- d-----w c:\programmi\Canon
2009-04-28 09:21 . 2009-04-25 10:56 -------- d--h--w c:\programmi\InstallShield Installation Information
2009-04-28 09:21 . 2009-04-28 08:52 -------- d-----w c:\documents and settings\Armando\Dati applicazioni\ArcSoft
2009-04-28 09:20 . 2009-04-28 09:20 -------- d-----w c:\programmi\ArcSoft
2009-04-28 09:20 . 2009-04-28 08:53 -------- d-----w c:\programmi\File comuni\ArcSoft
2009-04-28 08:53 . 2009-04-28 08:53 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\ArcSoft
2009-04-28 08:48 . 2009-04-25 10:56 -------- d-----w c:\programmi\File comuni\InstallShield
2009-04-27 10:38 . 2009-04-27 10:38 -------- d-----w c:\programmi\FreePOPs
2009-04-27 09:55 . 2009-04-27 09:55 -------- d-----w c:\programmi\File comuni\Adobe
2009-04-27 09:54 . 2009-04-25 10:48 -------- d-----w c:\programmi\MSN Messenger
2009-04-27 09:54 . 2009-04-27 09:43 -------- d-----w c:\programmi\NOS
2009-04-27 09:54 . 2009-04-27 09:43 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\NOS
2009-04-27 09:44 . 2009-04-27 09:44 -------- d-----w c:\programmi\Google
2009-04-27 09:09 . 2009-04-25 08:42 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-26 08:50 . 2009-04-26 08:50 -------- d-----w c:\programmi\SiS VGA Utilities V3.78
2009-04-26 08:49 . 2009-04-26 08:49 -------- d-----w c:\programmi\sisagp
2009-04-25 11:32 . 2009-04-25 11:33 86275 ----a-w c:\windows\system32\waitwnd.exe
2009-04-25 11:32 . 2009-04-25 11:32 -------- d-----w c:\programmi\EPSON
2009-04-25 11:30 . 2009-04-25 11:30 -------- d-----r c:\documents and settings\Armando\Dati applicazioni\Brother
2009-04-25 11:28 . 2009-04-25 11:28 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Brother
2009-04-25 11:14 . 2009-04-25 11:13 -------- d-----w c:\programmi\Driver Checker
2009-04-25 10:58 . 2009-04-25 11:00 3583 ----a-w c:\windows\SiSport.sys
2009-04-25 10:58 . 2009-04-25 11:00 32768 ----a-w c:\windows\SIS_LIB.DLL
2009-04-25 10:58 . 2009-04-25 11:00 106496 ----a-w c:\windows\SiSUSBrg.exe
2009-04-25 10:58 . 2003-07-18 07:58 36992 ----a-w c:\windows\system32\drivers\SISAGPX.SYS
2009-04-25 10:56 . 2009-04-25 10:56 -------- d-----w c:\programmi\Realtek AC97
2009-04-25 10:54 . 2009-04-25 10:54 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-25 10:53 . 2009-04-25 10:53 57344 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\50\5b902232-62d64782-n\Decora-SSE.dll
2009-04-25 10:53 . 2009-04-25 10:53 24064 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3410a5cb-n\Decora-D3D.dll
2009-04-25 10:53 . 2009-04-25 10:53 315392 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\62\6baea4fe-398c38bf-n\jogl.dll
2009-04-25 10:53 . 2009-04-25 10:53 20480 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\62\6baea4fe-398c38bf-n\jogl_awt.dll
2009-04-25 10:53 . 2009-04-25 10:53 114688 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\62\6baea4fe-398c38bf-n\jogl_cg.dll
2009-04-25 10:53 . 2009-04-25 10:53 348160 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\33\258cea61-4c2c0a2a-n\msvcr71.dll
2009-04-25 10:53 . 2009-04-25 10:53 20480 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\45\4f710eed-77bce984-n\gluegen-rt.dll
2009-04-25 10:53 . 2009-04-25 10:53 499712 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\33\258cea61-4c2c0a2a-n\msvcp71.dll
2009-04-25 10:53 . 2009-04-25 10:53 499712 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\Deployment\cache\6.0\33\258cea61-4c2c0a2a-n\jmc.dll
2009-04-25 10:52 . 2009-04-25 10:52 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-25 10:52 . 2009-04-25 10:52 -------- d-----w c:\programmi\Java
2009-04-25 10:51 . 2009-04-25 10:51 152576 ----a-w c:\documents and settings\Armando\Dati applicazioni\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-25 08:43 . 2009-04-25 08:43 -------- d-----w c:\programmi\microsoft frontpage
2009-04-25 08:42 . 2009-04-25 08:42 -------- d-----w c:\programmi\Servizi in linea
2009-04-25 08:40 . 2009-04-25 08:40 21840 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-06 14:19 . 2004-08-19 12:00 286208 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:03 . 2004-08-19 12:00 826368 ----a-w c:\windows\system32\wininet.dll
.
------- Sigcheck -------
[7] 2004-08-19 12:00 504832 4166454E2BCFCC20D1B8A5AC9FEAB243 c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 02:14 510464 9259170D29B5A256735FCB8B80280857 c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2009-05-08 07:08 510464 90F406811EE1EEE294792D00E21CA16C c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\programmi\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViaEmail"="HH" [X]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2009-04-25 106496]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2009-04-26 53248]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-4-25 262144]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmi\\MSN Messenger\\livecall.exe"=
R2 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [03/11/2006 19.19.58 13592]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [17/08/2001 23.52.30 18688]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\documents and settings\Armando\Desktop\everestultimate_build_1715\kerneld.wnt [10/02/2009 0.08.08 26224]
.
Contenuto della cartella 'Scheduled Tasks'
2009-05-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmi\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
2009-05-12 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]
2009-05-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
SafeBoot-procexp90.Sys
.
------- Scansione supplementare -------
.
uStart Page =
hxxp://www.virgilio.it/IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-05-28 14:18
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\documents and settings\Armando\Desktop\everestultimate_build_1715\kerneld.wnt"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•9~*]
"0140311900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\msi.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.ITA
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\ArcSoft\PhotoStudio 5.5\PhotoStudio.exe
c:\programmi\Windows Defender\MSASCui.exe
.
**************************************************************************
.
Ora fine scansione: 2009-05-28 14.19.43 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-05-28 12:19
Pre-Run: 68.939.063.296 byte disponibili
Post-Run: 69.117.468.672 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
198 --- E O F --- 2009-05-26 14:31