ComboFix 09-12-27.04 - Ivan Space 28/12/2009 23.20.08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1535.1125 [GMT 1:00]
Eseguito da: c:\documents and settings\Ivan Space\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documenti\cc_20090705_003213.reg
c:\windows\system32\DRIVERS\atapi.sys . . . è infetto!!
.
((((((((((((((((((((((((( Files Creati Da 2009-11-28 al 2009-12-28 )))))))))))))))))))))))))))))))))))
.
2009-12-27 17:42 . 2009-12-27 17:46 -------- d-----w- c:\programmi\DVD Genie
2009-12-05 20:19 . 2009-12-05 20:19 -------- d-----w- c:\documents and settings\Ivan Space\Impostazioni locali\Dati applicazioni\TVU Networks
2009-12-05 20:19 . 2009-12-05 20:19 -------- d-----w- c:\documents and settings\Ivan Space\Impostazioni locali\Dati applicazioni\LocalLow
2009-12-05 20:19 . 2009-12-05 20:19 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\TVU Networks
2009-12-05 20:18 . 2009-12-05 20:18 -------- d-----w- c:\windows\system32\TVUAx
2009-12-04 22:51 . 2009-12-04 22:51 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\MechCAD
2009-12-04 22:50 . 2009-12-04 22:51 -------- d-----w- c:\programmi\AceMoney
2009-12-04 22:48 . 2009-12-04 22:48 -------- d-----w- c:\programmi\IZArc
2009-12-01 21:45 . 2009-12-01 21:45 -------- d-----w- c:\documents and settings\Ivan Space\Impostazioni locali\Dati applicazioni\Help
2009-11-29 22:26 . 2009-11-29 22:26 -------- d-----w- c:\programmi\MSXML 4.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 22:18 . 2009-10-31 18:05 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000008-00001102-00000002-80641102}.dat
2009-12-28 22:18 . 2009-10-31 18:05 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000008-00001102-00000002-80641102}.dat
2009-12-28 10:51 . 2001-08-31 12:00 49126 ----a-w- c:\windows\system32\perfc010.dat
2009-12-28 10:51 . 2001-08-31 12:00 348968 ----a-w- c:\windows\system32\perfh010.dat
2009-12-15 16:34 . 2009-09-26 09:24 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-11-28 20:55 . 2009-11-28 20:55 -------- d-----w- c:\programmi\Cartoonist
2009-11-28 20:36 . 2009-11-28 20:35 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\MAGIX
2009-11-28 20:35 . 2009-11-28 20:35 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\MAGIX
2009-11-24 23:54 . 2009-09-25 20:58 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-09-25 20:59 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2009-09-25 20:59 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-09-25 20:59 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-09-25 20:59 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-09-25 20:59 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-14 09:46 . 2009-09-25 21:14 -------- d-----w- c:\programmi\Cerca_Italia
2009-11-07 12:54 . 2009-11-07 12:54 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\Apple Computer
2009-11-05 15:46 . 2009-09-26 14:48 -------- d-----w- c:\programmi\File comuni\Adobe
2009-11-03 22:01 . 2009-10-23 22:14 -------- d-----w- c:\programmi\Java
2009-11-03 22:00 . 2009-11-03 22:00 152576 ----a-w- c:\documents and settings\Ivan Space\Dati applicazioni\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-31 18:04 . 2009-09-25 16:09 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-10-30 15:16 . 2009-10-28 16:17 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\UpdateStar
2009-10-29 07:40 . 2008-04-27 13:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-23 22:14 . 2009-10-23 22:14 152576 ----a-w- c:\documents and settings\Ivan Space\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-21 05:38 . 2008-04-13 17:13 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-13 17:13 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-13 09:53 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 07:50 . 2009-10-16 07:50 2520888 ----a-w- c:\documents and settings\Ivan Space\Dati applicazioni\Mozilla\Firefox\Profiles\4a939v63.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-10-13 10:33 . 2008-04-13 17:13 271360 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-13 17:13 150016 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-13 17:13 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 03:17 . 2009-10-23 22:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 15:49 . 2009-10-23 21:31 182978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1040.dat
2009-10-06 17:32 . 2009-10-28 16:03 327168 ----a-w- c:\windows\system32\cutil32.dll
2009-09-25 16:52 . 2009-09-25 16:52 53 ----a-w- c:\programmi\mkisowin.ini
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\programmi\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\programmi\mozilla firefox\plugins\ssldivx.dll
.
------- Sigcheck -------
[-] 2008-04-13 09:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-27 . D5E120A3BA164D2E7307A6688FEB26B2 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer0.dll" [2009-11-14 2166296]
[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
2009-11-14 09:46 2166296 ----a-w- c:\programmi\Cerca_Italia\tbCer0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer0.dll" [2009-11-14 2166296]
[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{45DD02AA-87D3-441A-9E77-068F8FA93FC8}"= "c:\programmi\Cerca_Italia\tbCer0.dll" [2009-11-14 2166296]
[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Packard Bell Software Suite"="c:\programmi\Packard Bell\Software Suite\PBSoftSuite.exe" [2009-04-10 2901024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"D-Link AirPlus G"="c:\programmi\D-Link\AirPlus G\AirGCFG.exe" [2006-11-17 1552384]
"avast!"="d:\avast\ashDisp.exe" [2009-09-15 81000]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 40960]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\programmi\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-28 28672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-29 15:34 49152 ----a-w- c:\programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 06:00 33648 ----a-w- c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\programmi\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\eMule\\emule.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [25/09/2009 21.41.15 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [25/09/2009 21.41.15 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25/09/2009 21.59.00 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25/09/2009 21.59.00 20560]
R2 PowerSave;PowerSave Service;c:\programmi\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [06/04/2009 10.35.44 1002016]
S2 gupdate1ca3e2da7d88f70;Servizio di Google Update (gupdate1ca3e2da7d88f70);c:\programmi\Google\Update\GoogleUpdate.exe [25/09/2009 23.15.12 133104]
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2281187
uInternet Connection Wizard,ShellNext = iexplore
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ivan Space\Dati applicazioni\Mozilla\Firefox\Profiles\4a939v63.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.libero.it
FF - plugin: c:\documents and settings\Ivan Space\Dati applicazioni\Mozilla\Firefox\Profiles\4a939v63.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\adobe\Reader 9.0\Reader\browser\nppdf32.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 23:25
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x894E1B38]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf7586cb8
\Driver\atapi -> 0x894e1b38
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Periferica Bluetooth (Personal Area Network) #3 -> SendCompleteHandler -> NDIS.sys @ 0xf787fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf786ea0d
SendHandler -> NDIS.sys @ 0xf7882b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
Ora fine scansione: 2009-12-28 23:28:05
ComboFix-quarantined-files.txt 2009-12-28 22:27
Pre-Run: 27.954.212.864 byte disponibili
Post-Run: 27.923.501.056 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FBF359B267887A0BAE0559F3CBF9AEDF
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1535.1125 [GMT 1:00]
Eseguito da: c:\documents and settings\Ivan Space\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documenti\cc_20090705_003213.reg
c:\windows\system32\DRIVERS\atapi.sys . . . è infetto!!
.
((((((((((((((((((((((((( Files Creati Da 2009-11-28 al 2009-12-28 )))))))))))))))))))))))))))))))))))
.
2009-12-27 17:42 . 2009-12-27 17:46 -------- d-----w- c:\programmi\DVD Genie
2009-12-05 20:19 . 2009-12-05 20:19 -------- d-----w- c:\documents and settings\Ivan Space\Impostazioni locali\Dati applicazioni\TVU Networks
2009-12-05 20:19 . 2009-12-05 20:19 -------- d-----w- c:\documents and settings\Ivan Space\Impostazioni locali\Dati applicazioni\LocalLow
2009-12-05 20:19 . 2009-12-05 20:19 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\TVU Networks
2009-12-05 20:18 . 2009-12-05 20:18 -------- d-----w- c:\windows\system32\TVUAx
2009-12-04 22:51 . 2009-12-04 22:51 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\MechCAD
2009-12-04 22:50 . 2009-12-04 22:51 -------- d-----w- c:\programmi\AceMoney
2009-12-04 22:48 . 2009-12-04 22:48 -------- d-----w- c:\programmi\IZArc
2009-12-01 21:45 . 2009-12-01 21:45 -------- d-----w- c:\documents and settings\Ivan Space\Impostazioni locali\Dati applicazioni\Help
2009-11-29 22:26 . 2009-11-29 22:26 -------- d-----w- c:\programmi\MSXML 4.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 22:18 . 2009-10-31 18:05 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000008-00001102-00000002-80641102}.dat
2009-12-28 22:18 . 2009-10-31 18:05 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000008-00001102-00000002-80641102}.dat
2009-12-28 10:51 . 2001-08-31 12:00 49126 ----a-w- c:\windows\system32\perfc010.dat
2009-12-28 10:51 . 2001-08-31 12:00 348968 ----a-w- c:\windows\system32\perfh010.dat
2009-12-15 16:34 . 2009-09-26 09:24 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-11-28 20:55 . 2009-11-28 20:55 -------- d-----w- c:\programmi\Cartoonist
2009-11-28 20:36 . 2009-11-28 20:35 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\MAGIX
2009-11-28 20:35 . 2009-11-28 20:35 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\MAGIX
2009-11-24 23:54 . 2009-09-25 20:58 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-09-25 20:59 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2009-09-25 20:59 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-09-25 20:59 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-09-25 20:59 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-09-25 20:59 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-14 09:46 . 2009-09-25 21:14 -------- d-----w- c:\programmi\Cerca_Italia
2009-11-07 12:54 . 2009-11-07 12:54 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\Apple Computer
2009-11-05 15:46 . 2009-09-26 14:48 -------- d-----w- c:\programmi\File comuni\Adobe
2009-11-03 22:01 . 2009-10-23 22:14 -------- d-----w- c:\programmi\Java
2009-11-03 22:00 . 2009-11-03 22:00 152576 ----a-w- c:\documents and settings\Ivan Space\Dati applicazioni\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-31 18:04 . 2009-09-25 16:09 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-10-30 15:16 . 2009-10-28 16:17 -------- d-----w- c:\documents and settings\Ivan Space\Dati applicazioni\UpdateStar
2009-10-29 07:40 . 2008-04-27 13:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-23 22:14 . 2009-10-23 22:14 152576 ----a-w- c:\documents and settings\Ivan Space\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-21 05:38 . 2008-04-13 17:13 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-13 17:13 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-13 09:53 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 07:50 . 2009-10-16 07:50 2520888 ----a-w- c:\documents and settings\Ivan Space\Dati applicazioni\Mozilla\Firefox\Profiles\4a939v63.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-10-13 10:33 . 2008-04-13 17:13 271360 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-13 17:13 150016 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-13 17:13 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 03:17 . 2009-10-23 22:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 15:49 . 2009-10-23 21:31 182978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1040.dat
2009-10-06 17:32 . 2009-10-28 16:03 327168 ----a-w- c:\windows\system32\cutil32.dll
2009-09-25 16:52 . 2009-09-25 16:52 53 ----a-w- c:\programmi\mkisowin.ini
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\programmi\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\programmi\mozilla firefox\plugins\ssldivx.dll
.
------- Sigcheck -------
[-] 2008-04-13 09:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-27 . D5E120A3BA164D2E7307A6688FEB26B2 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer0.dll" [2009-11-14 2166296]
[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
2009-11-14 09:46 2166296 ----a-w- c:\programmi\Cerca_Italia\tbCer0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer0.dll" [2009-11-14 2166296]
[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{45DD02AA-87D3-441A-9E77-068F8FA93FC8}"= "c:\programmi\Cerca_Italia\tbCer0.dll" [2009-11-14 2166296]
[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Packard Bell Software Suite"="c:\programmi\Packard Bell\Software Suite\PBSoftSuite.exe" [2009-04-10 2901024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"D-Link AirPlus G"="c:\programmi\D-Link\AirPlus G\AirGCFG.exe" [2006-11-17 1552384]
"avast!"="d:\avast\ashDisp.exe" [2009-09-15 81000]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 40960]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\programmi\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-28 28672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-29 15:34 49152 ----a-w- c:\programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 06:00 33648 ----a-w- c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\programmi\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\eMule\\emule.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [25/09/2009 21.41.15 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [25/09/2009 21.41.15 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25/09/2009 21.59.00 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25/09/2009 21.59.00 20560]
R2 PowerSave;PowerSave Service;c:\programmi\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [06/04/2009 10.35.44 1002016]
S2 gupdate1ca3e2da7d88f70;Servizio di Google Update (gupdate1ca3e2da7d88f70);c:\programmi\Google\Update\GoogleUpdate.exe [25/09/2009 23.15.12 133104]
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2281187
uInternet Connection Wizard,ShellNext = iexplore
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ivan Space\Dati applicazioni\Mozilla\Firefox\Profiles\4a939v63.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.libero.it
FF - plugin: c:\documents and settings\Ivan Space\Dati applicazioni\Mozilla\Firefox\Profiles\4a939v63.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\adobe\Reader 9.0\Reader\browser\nppdf32.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 23:25
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x894E1B38]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf7586cb8
\Driver\atapi -> 0x894e1b38
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Periferica Bluetooth (Personal Area Network) #3 -> SendCompleteHandler -> NDIS.sys @ 0xf787fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf786ea0d
SendHandler -> NDIS.sys @ 0xf7882b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
Ora fine scansione: 2009-12-28 23:28:05
ComboFix-quarantined-files.txt 2009-12-28 22:27
Pre-Run: 27.954.212.864 byte disponibili
Post-Run: 27.923.501.056 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FBF359B267887A0BAE0559F3CBF9AEDF