ComboFix 09-08-24.06 - Andrea 25/08/2009 21.20.12.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.39.1040.18.1790.1106 [GMT 2:00]
Eseguito da: D:\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-292214054-3889295820-745551110-500
c:\$recycle.bin\S-1-5-21-3450396369-1997837415-3888786090-500
c:\$recycle.bin\S-1-5-21-562593655-1936356248-2708367035-500
c:\program files\QUAD Utilities
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\About Hotbar.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Reset Cursor.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Uninstall Hotbar.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Weather.lnk
c:\users\Andrea\AppData\Local\kgdavz.dat
c:\users\Andrea\AppData\Local\kgdavz_nav.dat
c:\users\Andrea\AppData\Local\kgdavz_navps.dat
c:\users\Andrea\ntuser.dat{22980dba-0af0-11de-aa1f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{29118dd5-c529-11dd-a7f3-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{5dabed32-a685-11dd-ac34-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{84ff134a-e5af-11dd-8df0-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{87039cf9-c54c-11dd-8641-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{8ff21247-1176-11de-b45f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{9a049f49-fb81-11dd-a97e-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{abb8e96f-e5ab-11dd-b07e-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{acbd3e57-a1e8-11dd-a80e-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{af49844a-d7e4-11dd-9b7c-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{b1a6b64a-7872-11dd-9c3c-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{df8f0bb2-7318-11de-b940-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{ef2ab3cb-010b-11de-9074-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{f49a0d86-b4f7-11dd-8b3f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{f90ba611-7d98-11de-b1eb-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Default\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Public\NTUSER.DAT{3c5da6ae-72ba-11dd-9db1-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\users\Public\NTUSER.DAT{c1ad96bb-9165-11de-8c64-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{22980db8-0af0-11de-aa1f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{84ff1348-e5af-11dd-8df0-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{87039cf7-c54c-11dd-8641-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{8ff21245-1176-11de-b45f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{9a049f42-fb81-11dd-a97e-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{af498448-d7e4-11dd-9b7c-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{b1a6b648-7872-11dd-9c3c-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{ef2ab3c9-010b-11de-9074-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{f49a0d84-b4f7-11dd-8b3f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{f90ba60f-7d98-11de-b1eb-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{22980db6-0af0-11de-aa1f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{7737ab70-8250-11de-aef3-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{77e9a07c-3d7a-11de-96fa-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{84ff1346-e5af-11dd-8df0-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{87039cf5-c54c-11dd-8641-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{8ff21243-1176-11de-b45f-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{9a049f40-fb81-11dd-a97e-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{a9d1a56b-ff28-11dd-baab-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{af498446-d7e4-11dd-9b7c-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{b1a6b646-7872-11dd-9c3c-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{ef2ab3c7-010b-11de-9074-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{f90ba60d-7d98-11de-b1eb-000278782dae}.TMContainer00000000000000000001.regtrans-ms
c:\windows\system32\config\systemprofile\ntuser.dat{d17a10b3-755e-11db-9150-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
c:\users\Andrea\ntuser.dat{7737ab74-8250-11de-aef3-000278782dae}.TMContainer00000000000000000001.regtrans-ms . . . . Eliminazione Fallita
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{7737ab72-8250-11de-aef3-000278782dae}.TMContainer00000000000000000001.regtrans-ms . . . . Eliminazione Fallita
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{53a0cdfb-85ed-11de-987c-000278782dae}.TMContainer00000000000000000001.regtrans-ms . . . . Eliminazione Fallita
.
((((((((((((((((((((((((( Files Creati Da 2009-07-25 al 2009-08-25 )))))))))))))))))))))))))))))))))))
.
2009-08-25 19:26 . 2009-08-25 19:30 -------- d-----w- c:\users\Andrea\AppData\Local\temp
2009-08-25 08:49 . 2009-08-25 08:49 3942048 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-25 08:49 . 2009-08-25 08:49 -------- d-----w- c:\users\Andrea\AppData\Roaming\Malwarebytes
2009-08-25 08:49 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-25 08:49 . 2009-08-25 10:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 08:49 . 2009-08-25 08:49 -------- d-----w- c:\programdata\Malwarebytes
2009-08-25 08:49 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 20:04 . 2009-08-11 20:04 -------- d-----w- c:\program files\ESET
2009-08-11 11:41 . 2009-08-11 11:41 -------- d-----w- c:\users\Andrea\AppData\Roaming\FunkyEmoticons
2009-08-11 11:40 . 2009-08-25 06:38 90 ----a-w- c:\users\Andrea\AppData\Local\gaslm.bat
2009-08-11 11:40 . 2009-08-17 12:46 -------- d-----w- c:\program files\FunkyEmoticons
2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\windows\system32\wbem\en-US
2009-08-11 07:03 . 2006-11-02 09:45 99840 ----a-w- c:\windows\system32\poqexec.exe
2009-08-05 21:19 . 2009-08-05 21:19 -------- d-----w- c:\programdata\Electronic Arts
2009-08-05 21:17 . 2009-08-05 21:17 10134 ----a-r- c:\users\Andrea\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-08-05 21:17 . 2009-08-05 21:17 -------- d-----w- c:\program files\Microsoft WSE
2009-08-04 14:31 . 2009-08-10 20:47 -------- d-----w- c:\program files\HiYo
2009-08-04 14:31 . 2009-08-04 14:31 -------- d-----w- c:\program files\HiYo(15)
2009-08-04 14:31 . 2009-08-04 14:31 -------- d-----w- c:\programdata\HiYo
2009-08-02 20:11 . 2009-06-15 15:23 24064 ----a-w- c:\windows\system32\lpk.dll
2009-08-02 20:11 . 2009-06-15 15:22 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-02 20:11 . 2009-06-15 15:21 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-02 20:11 . 2009-06-15 15:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-08-02 20:11 . 2009-06-15 13:03 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-02 20:11 . 2009-06-15 15:29 156160 ----a-w- c:\windows\system32\t2embed.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 16:10 . 2007-07-23 10:39 739418 ----a-w- c:\windows\system32\perfh010.dat
2009-08-25 16:10 . 2007-07-23 10:39 136940 ----a-w- c:\windows\system32\perfc010.dat
2009-08-22 23:11 . 2007-07-24 06:26 7428 ----a-w- c:\windows\bthservsdp.dat
2009-08-14 06:15 . 2008-08-29 12:40 -------- d-----w- c:\programdata\NOS
2009-08-14 06:15 . 2008-08-29 12:40 -------- d-----w- c:\program files\NOS
2009-08-13 11:25 . 2008-08-05 17:08 -------- d-----w- c:\users\Andrea\AppData\Roaming\Datalayer
2009-08-05 21:55 . 2007-07-24 06:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-02 21:55 . 2008-08-24 20:43 -------- d-----w- c:\program files\Java
2009-08-02 21:55 . 2008-08-02 15:16 -------- d-----w- c:\programdata\McAfee
2009-07-18 12:17 . 2009-07-29 06:32 827392 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 12:10 . 2009-07-29 06:32 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-07-18 12:10 . 2009-07-29 06:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 12:07 . 2009-07-29 06:32 72704 ----a-w- c:\windows\system32\admparse.dll
2009-07-18 10:00 . 2009-07-29 06:32 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-18 08:34 . 2009-07-29 06:32 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-07-17 14:52 . 2009-08-12 06:24 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:02 . 2009-08-12 06:24 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 13:01 . 2009-08-12 06:24 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 13:00 . 2009-08-12 06:24 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 11:11 . 2009-08-12 06:24 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-13 20:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-13 19:42 . 2007-07-24 07:20 -------- d-----w- c:\programdata\Microsoft Help
2009-06-29 17:23 . 2008-07-13 14:01 1469 ----a-w- c:\windows\system32\dmlg.dat
2009-06-10 12:16 . 2009-08-12 06:24 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 12:10 . 2009-08-12 06:24 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-06-10 12:10 . 2009-08-12 06:24 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-06-10 12:09 . 2009-08-12 06:24 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-06-10 12:07 . 2009-08-12 06:24 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-06-10 12:04 . 2009-08-12 06:24 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 12:04 . 2009-08-12 06:24 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-06-04 12:47 . 2009-08-12 06:24 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-06-04 12:43 . 2009-08-12 06:24 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-04 12:36 . 2009-08-12 06:24 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-05-28 10:34 . 2008-08-25 16:20 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-08-25 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-24 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 857648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"funkyemoticons"="c:\program files\FunkyEmoticons\FunkyEmoticons.exe" [2009-06-16 283360]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-06-13 4489216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-24 723760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"NoHotStart"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2678460D-99CF-4E82-A29F-B754DA30836F}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{2CAE3635-4861-4AB2-8103-57AF1E6D92A6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B06ED532-2DB8-47A4-B09E-D2C286E3D1EC}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{E6457DB7-AF38-4008-8AFC-38C39D9036F6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{EFAF95C7-A3F2-4825-83F0-4BE3F09E857C}"= UDP:c:\program files\eMule\emule.exe:eMule
"{EA8394C2-884E-4757-A517-D65118FBA5D1}"= TCP:c:\program files\eMule\emule.exe:eMule
"{2C0CA1C5-679D-4A54-8720-4715B8D734E3}"= UDP:4662:emule
"{B833CCFE-4AF2-4163-A200-3619008935E8}"= TCP:4672:emule
"{2578937F-2030-48E3-8989-7E82B119C18D}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{CBE76F0F-0ABA-4220-B52C-6A6C44AB9E94}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{09FEE12B-09D5-4C68-82BD-7858C18C4D35}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{4A3FA78A-565A-4AEC-9E7E-E2E84340DBFD}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{AD632BD9-713D-4033-B40C-25ED311F4DB5}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{48968542-F5F6-4CA8-BAF3-125FCB53405C}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"TCP Query User{CE418E73-6ADB-4799-921A-8C377343A078}c:\\program files\\microsoft lifecam\\lifecam.exe"= UDP:c:\program files\microsoft lifecam\lifecam.exe:LifeCam.exe
"UDP Query User{B24910AF-E010-4734-981E-AC4AF856DD4A}c:\\program files\\microsoft lifecam\\lifecam.exe"= TCP:c:\program files\microsoft lifecam\lifecam.exe:LifeCam.exe
"{A2472324-6CE2-4411-8B4C-11413CFC92DD}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{4CB7199A-8DC9-4E5F-9895-6869129271D2}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"TCP Query User{2AFC5046-7666-4BE7-BC55-AE2A80CF6842}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{567CD6BA-0BDC-44CD-80AE-4A248D758284}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"{8810595A-D5C0-49EF-B50F-A80CFE3D057E}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{28397C4B-2E78-4E2E-9D55-05DF90A97E9E}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{1CC5E430-3565-4FC9-864E-13CD0BC98E35}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{BB0C4316-53EF-4878-B470-531A014F88DE}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{1CC9E3FA-4CED-46B1-9750-ECD4143ABF66}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{26D3B96A-E310-4E1B-9712-82278FDDA55B}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{D0826226-31A4-4A61-AA0A-EA605EAEE811}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{DADAFDED-0FAD-4E0F-993F-783F31C88881}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R2 BcmSqlStartupSvc;Servizio di avvio SQL Server di Business Contact Manager;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [16/01/2008 10.41.32 30312]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [24/07/2007 8.47.36 13312]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 22.31.10 29263712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [02/11/2006 12.25.17 2589184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contenuto della cartella 'Scheduled Tasks'
2009-08-25 c:\windows\Tasks\User_Feed_Synchronization-{B336C6D4-5DE7-4FCC-B5EF-5611F88722CF}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
.
------- Scansione supplementare -------
.
uStart Page =
hxxp://www.google.it/IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia immagine alla periferica &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Invia pagina alla periferica &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabFF - ProfilePath - c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\c8ho9gga.default\
FF - prefs.js: browser.search.selectedEngine - Trova Rapido
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.it/FF - prefs.js: keyword.URL -
hxxp://mystart.hiyo.com/?loc=ff_address&search=---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-08-25 21:29
Windows 6.0.6000 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
c:\windows\TEMP\TMP0000000C2AB4F2574B183A76 524288 bytes executable
Scansione completata con successo
Files nascosti: 1
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="26B776B63C5CA2F961E0F68D48CC4A6CCAF1420D8430DF54DCF0D1AB75DEA9EBD47AE753458C703031A9D90377B3354290922FF6E717385E58BE8C609B4AC9DAAB506FB6E05871B9BA9BBD8AC06A60D0CEE71E75BC8D3772BE312812657A9BBA21FE6088B1F8995BD64B80A43ACA5B81637A99862F2FAA4313DD7ED732EAC929F94F7E986D6B92BBB253F4FA0FF36C267F53A2C97F5B966BAE60DB6876DB34A7530D06D7DE7136E24FD063FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A9C6AECB7A5D1407FEBC9E127BECC74C375D31A7EC65959FC484FE59CB1C709693960D1B9122DF23B728AC41FB1701F880AAF5CE0966591E06C1ADDC4A53BD3E437BAEC9C64EC749414D6A45EC20DDD94EE7F89C98DEC6F1CCD2B167A03AD0900BE260F47E118B812F7502937ADA0C93B0019029F362410FE27C638E324ADF880E861E4C456751759F6C2E1C78EB429FDD785A3DD959B3DBB492E019C3D0A39B132F243689A442475193EC00A048BB6AADE236DA69FE083056000A84016D5A30053E764C9FED0F8AA85F03970EBAB7D61DE9C7352B62B0DB7CC38580F795C5A1F22559DABD3D6947ACD7766BC2627B38CD4AF6B18668222002EF3CF29A132BBC90EAD8E5806007790A1813BA2133CDD70456F1EE4948D33463A9DA74BE0154C7B22D42A0E778249090D26777F273F9732A72A53AA48E44BF432C524FA0D08F7855992776D47C7FF0B3C9C6C9E4BCD03B4A97C9982D1AF263E7C5D786DDC6AEF99873DD0291355A730CD6C98A857E24D518D3D3405E9E642FBA5965CC787D856ABC128118C6C0FCE2D4E549494BFB4D59E5C7809D95A521AACADBB68CD65FEF5DAB61EF3D068F31806E76E4480DCAA7552FA9504F1288B7CE47D8CEDFC3AE49DAED60CA29416A447E5D9E02FD885712CA8EC208A97A783689886D7099ED7F755BB321F8CBD0688B07C7844494DDDEF02C476EAE34D7F7333E08CB27BDE6BB5851CF4D24457078DBB57B651A6A9075AB65BC9F902B18E045C1E2BB3F04251EDC9CB71E3AEBBE5C9098661230130901ADD1F6DC3F7B0D5D8B5E5C96495984B8F0968863ECC8BE2A08B59EEE7BD5943D664425BB8D4BEA6E255259C99BDD41F0840900013399D8CA2585D972B22AE337CA0096EC13F1CB66B6CFE2D9CDE67F7E0F34016DC7CED7FBCD71F52A4FC10AD350BDC0B02DF8AC6D69FBA8DA3E7C44EE88C91335A7106B50ED5CF1B793FC8048F4ABBC5BFAA16F806AF1FBF70D5B7B23EFF0DFF51635A62DF218F14C7FF22420B7EAC6D662DED9ED69BD526FA0F3724EC5C437E3974D01CC50EE3DB25CEEB3B91B1041A00AD8935B1BE4C51422E95B7A11550C46F797D5BCFC1B40C6B46E54C7A825AECA5E6AAB"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'Explorer.exe'(3656)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_ita.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\System32\oodag.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
c:\program files\Samsung\Samsung Recovery Solution II\WCScheduler.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Ora fine scansione: 2009-08-25 21.36.37 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-08-25 19:36
Pre-Run: 60.177.027.072 byte disponibili
Post-Run: 60.005.810.176 byte disponibili
424 --- E O F --- 2009-08-22 20:23