ComboFix 09-03-29.04 - Administrator 2009-08-31 12.14.33.1 - NTFSx86
Eseguito da: D:\Com-bo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090826-0] *On-access scanning disabled* (Updated)
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.
((((((((((((((((((((((((( Files Creati Da 2009-07-28 al 2009-08-31 )))))))))))))))))))))))))))))))))))
.
2009-08-26 14:36 . 2009-08-26 19:17 <DIR> d--h-c--- c:\documents and settings\Administrator\Dati applicazioni\drivers
2009-07-29 11:16 . 2009-07-29 11:16 <DIR> d--h-c--- c:\windows\$hf_mig$
2009-07-05 13:21 . 2009-05-26 17:18 90,112 --a--c--- c:\windows\system32\QuickTimeVR.qtx
2009-07-05 13:21 . 2009-05-26 17:18 57,344 --a--c--- c:\windows\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 10:06 405 -c--a-w c:\programmi\psc 1110.exe.lnk
2009-08-30 19:31 --------- dc----w c:\programmi\Bonjour
2009-07-05 11:21 --------- dc----w c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-06-29 17:49 --------- dc----w c:\programmi\File comuni\Adobe
2009-06-29 14:09 --------- dc----w c:\documents and settings\Administrator\Dati applicazioni\Download Manager
2009-06-16 14:36 81,920 -c--a-w c:\windows\system32\fontsub.dll
2009-06-16 14:36 119,808 -c--a-w c:\windows\system32\t2embed.dll
2009-06-03 19:09 1,296,384 -c--a-w c:\windows\system32\quartz.dll
2009-05-07 15:32 347,648 -c--a-w c:\windows\system32\localspl.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="d:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2005-01-21 839680]
"MSMSGS"="d:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusTray"="c:\programmi\Asus\EeePC ACPI\AsTray.exe" [2008-03-27 102400]
"AsusACPIServer"="c:\programmi\Asus\EeePC ACPI\AsAcpiSvr.exe" [2008-03-20 544768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-08 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-08 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-08 94208]
"ETDWare"="c:\programmi\Elantech\ETDCtrl.exe" [2008-04-16 335872]
"SunJavaUpdateSched"="d:\programmi\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"FreePDF Assistant"="d:\programmi\FreePDF_XP\fpassist.exe" [2007-06-26 312320]
"avast!"="d:\i386\Install\Avast\ashDisp.exe" [2009-08-31 81000]
"Adobe Reader Speed Launcher"="d:\i386\Install\ACR\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-07 c:\windows\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 c:\windows\Alcmtr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Collegamento a eeectl.lnk - d:\i386\Install\eeectl\eeectl.exe [2008-02-17 31232]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
AutoRun OSCleaner.lnk - c:\programmi\ASUS\Asus OS Cleaner\AsOSCleaner.exe [2008-06-27 118784]
BTTray.lnk - d:\i386\Install\BLT\BTTray.exe [2007-02-27 561213]
InterVideo WinCinema Manager.lnk - d:\i386\Install\Common\Bin\WinCinemaMgr.exe [2008-06-30 114688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
La chiave di registro SafeBoot ha bisogno di essere riparata. Questo pc non può avviarsi in Modalità Provvisoria. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"d:\\I386\\Install\\emule\\emule.exe"=
"d:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
R1 aswSP;avast! Self Protection; [x]
R2 aswFsBlk;aswFsBlk; [x]
R3 ONDAusbmdm6k;ONDA Proprietary USB Driver; [x]
R3 ONDAusbnet;ONDA USB-NDIS miniport; [x]
R3 ONDAusbnmea;ONDA NMEA Port; [x]
R3 ONDAusbser6k;ONDA Diagnostic Port; [x]
S1 111111s1ro1s1a;111111s1ro1s1a;c:\documents and settings\Administrator\Dati applicazioni\drivers\111wfs1intwq.sys [2009-08-31 121658]
S1 sK9Ou0s;sK9Ou0s;c:\documents and settings\Administrator\Dati applicazioni\drivers\11s11ro1s1a2.sys [2009-08-31 7168]
S3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\DRIVERS\ASUSACPI.sys [2007-07-26 11264]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l251x86.sys [2007-10-18 30720]
S3 dciiodrv;dciiodrv;c:\windows\system32\drivers\dciiodrv.sys [2008-07-04 2944]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\DRIVERS\ETD.sys [2008-04-15 25088]
--- Altri Servizi/Drivers In Memoria ---
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - btwdins
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - IviRegMgr
*Deregistered* - JavaQuickStarterService
*Deregistered* - LanmanServer
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteAccess
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sK9Ou0s
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WmiApSrv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{676575c5-4909-11dd-b7a2-0015afa77039}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{676575c8-4909-11dd-b7a2-0015afa77039}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bba99c4-46b0-11dd-b797-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bba99c7-46b0-11dd-b797-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f813079-4458-11dd-b793-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a81be302-468b-11dd-b795-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a81be306-468b-11dd-b795-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfd83d6f-49a7-11dd-aa49-0002721326f2}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contenuto della cartella 'Scheduled Tasks'
2009-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe []
2009-08-29 c:\windows\Tasks\WebReg 20080914165811.job
- d:\digital imaging\Bin\hpqwrg.exe []
2009-08-26 c:\windows\Tasks\WebReg 20080929175536.job
- d:\digital imaging\Bin\hpqwrg.exe []
2009-08-26 c:\windows\Tasks\WebReg 20081006150419.job
- d:\digital imaging\Bin\hpqwrg.exe []
2009-08-31 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
HKLM-Run-<NO NAME> - (no file)
.
------- Scansione supplementare -------
.
uStart Page =
hxxp://www.google.it/uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - d:\i386\Install\OFFICE~1\OFFICE11\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - d:\i386\Install\BLT\btsendto_ie_ctx.htm
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-08-31 12:16:29
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
c:\documents and settings\Administrator\Dati applicazioni\drivers\winupgro.exe [1924] 0x881DF320
scansione entrate autostart nascoste ...
Scansione files nascosti ...
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16803687.exe 1508 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16806843.exe 1508 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16807843.exe 1508 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16903000.exe 2536 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\winupgro.exe 839680 bytes executable
Scansione completata con successo
Files nascosti: 6
**************************************************************************
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="c:\\Documents and Settings\\Administrator\\Dati applicazioni\\drivers\\winupgro.exe"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\btmmhook.dll
.
Ora fine scansione: 2009-08-31 12.25.30
ComboFix-quarantined-files.txt 2009-08-31 10:25:07
Pre-Run: 140.730.368 byte disponibili
Post-Run: 130,584,576 byte disponibili
257