ComboFix 09-07-04.05 - Scalici 05/07/2009 16.50.06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1535.1094 [GMT 2:00]
Eseguito da: d:\documents and settings\Scalici\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090704-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\InfoSat.txt
d:\documents and settings\Scalici\Dati applicazioni\drivers\downld
.
((((((((((((((((((((((((( Files Creati Da 2009-06-05 al 2009-07-05 )))))))))))))))))))))))))))))))))))
.
2009-07-05 06:48 . 2009-07-05 14:56 3227680 --sha-w- d:\windows\system32\drivers\fidbox.dat
2009-07-05 06:48 . 2008-07-08 12:54 148496 ----a-w- d:\windows\system32\drivers\29983570.sys
2009-07-04 21:31 . 2009-07-05 14:55 -------- d--h--w- d:\documents and settings\Scalici\Dati applicazioni\drivers
2009-07-04 13:39 . 2008-04-14 02:13 21504 ----a-w- d:\windows\system32\drivers\hidserv.dll
2009-06-25 10:10 . 2009-06-25 10:10 -------- d-----w- d:\documents and settings\Scalici\Dati applicazioni\Malwarebytes
2009-06-25 10:10 . 2009-06-17 09:27 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 10:10 . 2009-06-25 10:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-06-25 10:10 . 2009-06-17 09:27 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-06-25 10:10 . 2009-06-25 10:10 -------- d-----w- d:\programmi\Malwarebytes' Anti-Malware
2009-06-25 09:23 . 2009-06-25 09:37 -------- d-----w- d:\documents and settings\Scalici\Impostazioni locali\Dati applicazioni\Babylon
2009-06-25 09:22 . 2009-07-05 14:55 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Babylon
2009-06-25 09:22 . 2009-06-25 11:11 -------- d-----w- d:\documents and settings\Scalici\Dati applicazioni\Babylon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 14:46 . 2009-03-27 09:18 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Google Updater
2009-07-05 13:54 . 2009-07-05 06:48 11084 --sha-w- d:\windows\system32\drivers\fidbox.idx
2009-07-05 06:30 . 2006-08-06 10:16 -------- d-----w- d:\programmi\SWF Ricettario
2009-07-04 13:40 . 2009-07-04 13:40 0 ---ha-w- d:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-04 13:40 . 2009-07-04 13:40 0 ---ha-w- d:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 12:45 . 2009-03-15 16:32 -------- d-----w- d:\programmi\Ninja
2009-06-09 11:46 . 2006-08-06 07:19 -------- d--h--w- d:\programmi\InstallShield Installation Information
2009-05-26 10:29 . 2001-08-31 11:00 84330 ----a-w- d:\windows\system32\perfc010.dat
2009-05-26 10:29 . 2001-08-31 11:00 489598 ----a-w- d:\windows\system32\perfh010.dat
2009-05-17 14:02 . 2009-05-17 14:02 -------- d-----w- d:\programmi\Defraggler
2009-05-08 23:14 . 2009-05-08 23:14 1418120 ----a-w- d:\windows\system32\wdfcoinstaller01005.dll
2009-05-08 23:14 . 2009-05-08 23:14 14736 ----a-w- d:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2004-08-19 13:39 347648 ----a-w- d:\windows\system32\localspl.dll
2009-05-06 12:23 . 2009-06-02 15:25 372736 ----a-w- d:\documents and settings\Scalici\Dati applicazioni\Mozilla\Firefox\Profiles\uqw88by2.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-04-29 04:33 . 2004-08-19 13:39 669184 ----a-w- d:\windows\system32\wininet.dll
2009-04-29 04:33 . 2004-08-19 13:39 81920 ----a-w- d:\windows\system32\ieencode.dll
2009-04-19 19:47 . 2004-08-19 13:31 1847168 ----a-w- d:\windows\system32\win32k.sys
2009-04-19 17:40 . 2006-08-05 18:33 40408 -c--a-w- d:\documents and settings\Scalici\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-04-15 14:52 . 2004-08-19 13:39 585216 ----a-w- d:\windows\system32\rpcrt4.dll
2007-08-13 09:54 . 2007-08-13 08:48 48 --sh--w- d:\windows\S76888F40.tmp
2008-02-09 12:58 . 2006-12-16 12:10 2828 -csha-w- d:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KillCopy"="d:\windows\system32\killcopy.exe" [2006-10-29 1185792]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"wltray.exe"="d:\windows\system32\wltray.exe" [2005-06-08 778318]
"cctray"="d:\programmi\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-23 177392]
"ISUSPM Startup"="d:\programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ISUSScheduler"="d:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QOELOADER"="d:\programmi\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-08-28 14088]
"type32"="d:\programmi\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="d:\programmi\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Adobe Reader Speed Launcher"="d:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"SunJavaUpdateSched"="d:\programmi\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Babylon Client"="d:\programmi\Babylon\Babylon-Pro\Babylon.exe" [2009-06-25 3678608]
"Malwarebytes' Anti-Malware"="d:\programmi\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-06-17 414992]
"C-Media Mixer"="Mixer.exe" - d:\windows\mixer.exe [2002-09-17 1622016]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2008-05-03 1630208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
ninja.lnk - d:\programmi\Ninja\ninja.exe [2009-3-15 695296]
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]
path=d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk
backup=d:\windows\pss\Avvio veloce di Adobe Reader.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^BTTray.lnk]
path=d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\BTTray.lnk
backup=d:\windows\pss\BTTray.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^Scalici^Menu Avvio^Programmi^Esecuzione automatica^is-JM8J7.lnk]
path=d:\documents and settings\Scalici\Menu Avvio\Programmi\Esecuzione automatica\is-JM8J7.lnk
backup=d:\windows\pss\is-JM8J7.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Programmi\\Google\\Google Talk\\googletalk.exe"=
"d:\\Programmi\\eMule\\emule.exe"=
"d:\\Programmi\\MSN BackUp\\MSNBackup.exe"=
"d:\\Programmi\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Programmi\\Ninja\\ninja.exe"=
"d:\\Programmi\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [03/04/2008 10.12.47 114768]
R1 is-JM8J7drv;is-JM8J7drv;d:\windows\system32\drivers\29983570.sys [05/07/2009 8.48.51 148496]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [03/04/2008 10.12.48 20560]
R2 MBAMService;MBAMService;d:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [25/06/2009 12.10.25 195856]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [25/06/2009 12.10.21 19096]
S2 gupdate1c9aebd18821500;Servizio di Google Update (gupdate1c9aebd18821500);d:\programmi\Google\Update\GoogleUpdate.exe [27/03/2009 11.19.12 133104]
S3 NiViPxiK;NiViPxiK;d:\windows\system32\drivers\NiViPxiK.sys [26/10/2001 18.48.02 16896]
S3 PAC207;Trust WB-1200p Mini Webcam;d:\windows\system32\drivers\PFC027.sys [24/02/2005 12.29.14 162176]
.
Contenuto della cartella 'Scheduled Tasks'
2009-07-05 d:\windows\Tasks\Google Software Updater.job
- d:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-27 09:18]
2009-07-05 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\programmi\Google\Update\GoogleUpdate.exe [2009-03-27 09:19]
2009-07-05 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\programmi\Google\Update\GoogleUpdate.exe [2009-03-27 09:19]
2009-07-04 d:\windows\Tasks\Malwarebytes' Scheduled Update for Scalici.job
- d:\programmi\Malwarebytes' Anti-Malware\mbam.exe [2009-06-25 09:27]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
Notify-WgaLogon - (no file)
.
------- Scansione supplementare -------
.
uStart Page =
hxxp://virgilio.alice.it/indexbb.htmlmStart Page =
hxxp://virgilio.alice.it/indexbb.htmluInternet Connection Wizard,ShellNext = iexplore
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - d:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
IE: Translate this web page with Babylon - d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} -
res://d:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
TCP: {C0C9AC30-2B78-4759-AA11-34F95571A1B8} = 192.168.200.1,192.168.200.2
TCP: {C32C6871-B36A-4FB7-B026-32C120188B02} = 151.99.125.2,151.99.125.3
FF - ProfilePath - d:\documents and settings\Scalici\Dati applicazioni\Mozilla\Firefox\Profiles\uqw88by2.default\
FF - prefs.js: browser.startup.homepage -
http://www.virgilio.itFF - component: d:\documents and settings\Scalici\Dati applicazioni\Mozilla\Firefox\Profiles\uqw88by2.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: d:\programmi\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\programmi\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\programmi\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - trued:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
d:\programmi\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
d:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
d:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
d:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-07-05 16:56
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\d:\programmi\CyberLink\PowerDVD\000.fcl"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140710900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL"
"0140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(852)
d:\windows\System32\BCMLogon.dll
.
Ora fine scansione: 2009-07-05 16.59.38
ComboFix-quarantined-files.txt 2009-07-05 14:58
Pre-Run: 48.437.571.584 byte disponibili
Post-Run: 48.417.173.504 byte disponibili
220 --- E O F --- 2009-07-04 13:44