ComboFix 09-12-26.05 - Michael 28/12/2009 1:44.1.2 - x86
Eseguito da: c:\documents and settings\Michael\Desktop\ogmo\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Michael\Documenti\ripristino.reg
c:\documents and settings\Michael\Documenti\wpabaln.exe
c:\programmi\\setup.exe
c:\programmi\INSTALL.LOG
c:\windows\EventSystem.log
c:\windows\system32\Ijl11.dll
c:\windows\system32\kernel1.exe
c:\windows\system32\win.ini
c:\windows\system32\yIkjPXbc.ini
c:\windows\system32\yIkjPXbc.ini2
.
-------\LEGACY_IPRIP
-------\LEGACY_NWSAPAGENT
-------\Iprip
-------\NwSapAgent
-------\Legacy_IPRIP
-------\Legacy_NETBIOS_HELPER_SERVICE
-------\Legacy_NETDDEC
-------\Service_Iprip
-------\Service_Netbios Helper Service
-------\Service_NETDDEC
((((((((((((((((((((((((( Files Creati Da 2009-11-28 al 2009-12-28 )))))))))))))))))))))))))))))))))))
.
Nessun nuovo file creato in questo arco di tempo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-02-23 14:50 . 2005-02-23 14:50 32 --sha-w- c:\windows\{696E4320-129F-4BB3-ACB5-99E6715A9AAB}.dat
2004-11-05 19:52 . 2004-11-05 19:52 32 --sha-w- c:\windows\{B92C750F-DE56-4767-A76C-5E323127EB78}.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 ----a-w- c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="c:\programmi\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 517632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\programmi\Microsoft IntelliType Pro\type32.exe" [2004-06-02 172032]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"IntelliPoint"="c:\programmi\Microsoft IntelliPoint\point32.exe" [2004-06-02 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"CloneCDTray"="c:\programmi\SlySoft\CloneCD\CloneCDTray.exe" [2004-09-02 57344]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSPM Startup"="c:\programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"Windows Defender"="c:\programmi\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Monitor Apache Servers.lnk - c:\programmi\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2006-4-29 41041]
Privoxy.lnk - c:\programmi\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^Michele^Menu Avvio^Programmi^Esecuzione automatica^ubisoft register.lnk]
path=c:\documents and settings\Michele\Menu Avvio\Programmi\Esecuzione automatica\ubisoft register.lnk
backup=c:\windows\pss\ubisoft register.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R2 Ca533av;Digital Camera Video;c:\windows\system32\Drivers\Ca533av.sys [2002-10-21 515803]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\programmi\LogMeIn\x86\RaInfo.sys [x]
R3 lac97inf;lac97inf;c:\docume~1\Michele\IMPOST~1\Temp\lac97inf.sys [x]
R3 PsSdk41;PsSdk41;c:\windows\system32\Drivers\pssdk41.sys [2008-09-24 36928]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 Vsp;Vsp;c:\windows\system32\drivers\Vsp.sys [2003-05-27 3351]
R3 WNUSCTLH;NEC 606 CONTROL Driver;c:\windows\system32\DRIVERS\WNUSCTLH.SYS [2002-04-18 46810]
R3 WNUSENUH;NEC 606 ENUMERATION Driver;c:\windows\system32\DRIVERS\WNUSENUH.SYS [2002-04-18 14458]
R3 WNUSMDMH;NEC 606 Modem Driver;c:\windows\system32\DRIVERS\WNUSMDMH.sys [2002-07-12 37120]
R3 WNUSOBXH;NEC 606 OBEX Port Driver;c:\windows\system32\DRIVERS\WNUSOBXH.sys [2002-09-12 33536]
R3 WNUSTACH;NEC 606 Command Port Driver;c:\windows\system32\DRIVERS\WNUSTACH.sys [2002-04-18 28304]
R3 z3f2bus;Sony Ericsson driver (WDM);c:\windows\system32\DRIVERS\z3f2bus.sys [x]
R3 z3f2mdfl;Sony Ericsson USB WMC Modem Filter;c:\windows\system32\DRIVERS\z3f2mdfl.sys [x]
R3 z3f2mdm;Sony Ericsson USB WMC Modem Driver;c:\windows\system32\DRIVERS\z3f2mdm.sys [x]
R3 z3f2mgmt;Sony Ericsson USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\z3f2mgmt.sys [x]
R3 z3f2obex;Sony Ericsson USB WMC OBEX Interface;c:\windows\system32\DRIVERS\z3f2obex.sys [x]
R4 Apache2.2;Apache2.2;c:\programmi\Apache Software Foundation\Apache2.2\bin\httpd.exe [2006-04-29 20539]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2007-06-25 682232]
S0 viasraid;viasraid;c:\windows\System32\DRIVERS\viasraid.sys [2003-10-31 77312]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-05-30 55520]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-05-30 42048]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-11 47640]
S2 SPTimer;Servizio Timer di SharePoint;c:\programmi\File comuni\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE [2001-02-16 345504]
S2 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
------- Scansione supplementare -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael\Dati applicazioni\Mozilla\Firefox\Profiles\9nal04i3.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\programmi\Mozilla Firefox\plugins\NPMVPLUG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
AddRemove-Age of Empires 2.0 - c:\programmi\Microsoft Games\Age of Empires II\UNINSTAL.EXE
AddRemove-KeePass Password Safe_is1 - c:\documents and settings\Michael\Desktop\KeePass Password Safe\unins000.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-Warzone 2100 EditWorld - c:\programmi\Pumpkin Studios\Warzone2100\UninstEDITOR.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-12-28 02:36
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys sptd.sys >>UNKNOWN [0x833828A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8579f28
\Driver\ACPI -> ACPI.sys @ 0xf83bbcb8
\Driver\atapi -> prosync1.sys @ 0xf8a216c1
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\programmi\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\programmi\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140711900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(1072)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3632)
c:\windows\system32\WININET.dll
c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll
c:\programmi\TortoiseSVN\bin\TortoiseStub.dll
c:\programmi\TortoiseSVN\bin\TortoiseSVN.dll
c:\programmi\TortoiseSVN\bin\intl3_tsvn.dll
c:\programmi\TortoiseSVN\Languages\TortoiseProc1040.dll
c:\programmi\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\msdtc.exe
c:\programmi\Raxco\PerfectDisk\PDAgent.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\System32\mqsvc.exe
c:\windows\System32\mqtgsvc.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\programmi\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\programmi\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Ora fine scansione: 2009-12-28 03:27:24 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-12-28 02:27
Pre-Run: 67,471,806,464 byte disponibili
Post-Run: 67,531,431,936 byte disponibili
Current=3 Default=3 Failed=1 LastKnownGood=2 Sets=,1,2,3,4,5,6,7,8,9
- - End Of File - - 69E92CA32A29B6D1BAAD887BC36B45F1