Beh, comunque qualcosa ha trovato.
In ogni caso, ecco il log di Combifix.
ComboFix 09-11-06.03 - Roberto 07/11/2009 14.17.54.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1653 [GMT 1:00]
Eseguito da: e:\dati\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}
* Creato nuovo punto di ripristino
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Roberto\Dati applicazioni\drivers\downld
c:\documents and settings\Roberto\Documenti\cc_20091107_124523.reg
C:\Muestras
c:\muestras\WINUPGRO.EXE.Muestra EliBagle v13.10
c:\windows\system32\drivers\XLoader.sys
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_XLoader
((((((((((((((((((((((((( Files Creati Da 2009-10-07 al 2009-11-07 )))))))))))))))))))))))))))))))))))
.
2009-11-07 11:39 . 2009-11-07 11:39 -------- d-----w- c:\programmi\CCleaner
2009-11-07 11:19 . 2009-11-07 11:25 -------- d-----w- c:\programmi\FindyKill
2009-11-04 18:54 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 18:54 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 18:54 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 18:54 . 2009-11-04 18:54 -------- d-----w- c:\programmi\Avira
2009-11-04 18:54 . 2009-11-04 18:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2009-11-04 18:21 . 2009-11-07 13:23 -------- d--h--w- c:\documents and settings\Roberto\Dati applicazioni\drivers
2009-11-03 20:11 . 2009-11-03 20:11 -------- d-----w- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Temp
2009-11-01 18:50 . 2009-11-01 18:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NVIDIA Corporation
2009-11-01 18:50 . 2009-11-01 18:50 -------- d-----w- c:\programmi\NVIDIA Corporation
2009-11-01 10:29 . 2004-08-03 21:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2009-11-01 10:29 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2009-11-01 08:31 . 2009-11-01 08:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\nView_Profiles
2009-10-31 18:43 . 2009-10-31 18:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-31 18:42 . 2009-10-31 18:42 152576 ----a-w- c:\documents and settings\Roberto\Dati applicazioni\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-25 17:04 . 2009-11-01 18:30 -------- d-----w- c:\programmi\Kyodai Mahjongg 2006
2009-10-18 15:48 . 2009-10-18 15:52 -------- d-----w- c:\programmi\jpegbook_050409
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 12:57 . 2006-03-02 12:00 84156 ----a-w- c:\windows\system32\perfc010.dat
2009-11-07 12:57 . 2006-03-02 12:00 489410 ----a-w- c:\windows\system32\perfh010.dat
2009-11-07 12:11 . 2008-01-26 17:45 -------- d-----w- c:\programmi\Total Video Converter
2009-11-07 11:44 . 2008-05-02 09:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-11-01 18:43 . 2008-01-31 20:59 -------- d-----w- c:\programmi\SystemRequirementsLab
2009-10-31 18:43 . 2007-12-26 12:34 -------- d-----w- c:\programmi\Java
2009-10-24 10:05 . 2008-12-29 21:30 -------- d-----w- c:\programmi\Xvid
2009-10-21 17:48 . 2007-12-26 12:47 -------- d-----w- c:\programmi\DivX
2009-10-21 17:46 . 2009-04-22 19:39 -------- d-----w- c:\programmi\VirtualDub-1.8.8
2009-10-19 17:09 . 2007-12-26 10:16 -------- d-----w- c:\programmi\File comuni\Adobe
2009-09-28 17:59 . 2007-12-26 11:44 -------- d-----w- c:\programmi\VLC
2009-09-27 17:19 . 2009-09-27 17:19 3674112 ----a-w- c:\windows\system32\nvwssr.dll
2009-09-27 15:12 . 2009-09-27 15:12 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 15:12 . 2009-09-27 15:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 15:12 . 2009-09-27 15:12 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 15:12 . 2008-05-02 20:46 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 15:12 . 2008-05-02 20:46 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 15:12 . 2008-05-02 20:46 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 15:12 . 2008-05-02 20:46 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 15:12 . 2008-05-02 20:46 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-27 15:12 . 2007-12-23 14:06 490088 -c--a-w- c:\windows\system32\nvudisp.exe
2009-09-27 15:12 . 2007-12-23 13:47 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-27 15:12 . 2007-12-23 12:43 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 15:12 . 2007-12-23 12:43 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-25 05:35 . 2006-03-02 12:00 669696 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:35 . 2006-03-02 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-14 09:32 . 2008-05-06 19:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2009-09-11 14:17 . 2006-03-02 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2006-03-02 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-12-26 12:53 . 2007-12-26 12:53 9801 -c--a-w- c:\programmi\uninstal.log
2007-01-28 16:12 . 2008-12-25 17:29 2493452 ----a-w- c:\programmi\FVP_SA.exe
2008-10-19 09:58 . 2008-10-19 09:58 49152 ----a-w- c:\programmi\mozilla firefox\components\SiteVacuumXPCOM.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2004-06-21 786432]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\programmi\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"amd_dc_opt"="c:\programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"Acrobat Assistant 8.0"="c:\programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"LWBMOUSE"="c:\programmi\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe" [2001-04-20 429568]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-31 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-11-07 209153]
"combofix"="c:\combofix\CF24268.exe" [2009-11-07 398336]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 137216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Programmi\\Internet Explorer\\iexplore.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Kyodai Mahjongg 2006\\kmj.exe"=
S2 gupdate1ca139e9d8102de;Servizio di Google Update (gupdate1ca139e9d8102de);c:\programmi\Google\Update\GoogleUpdate.exe [02/08/2009 19.25.29 133104]
S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [11/07/2007 18.06.22 13824]
S3 phil2vid;Fotocamera VGA USB Philip;c:\windows\system32\drivers\philcam2.sys [24/12/2007 14.25.14 173696]
S3 rockusb;Driver for rockusb Device;c:\windows\system32\drivers\rockusb.sys [22/03/2006 19.57.44 73984]
S3 rockusb27;Driver for rockusb27 Device;c:\windows\system32\drivers\rockusb27.sys [25/04/2009 20.50.08 35072]
S3 scsiscan;Driver scanner SCSI;c:\windows\system32\drivers\scsiscan.sys [23/12/2007 21.50.38 11520]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [23/12/2007 22.35.10 223184]
--- Altri Servizi/Drivers In Memoria ---
*NewlyCreated* - MBR
*Deregistered* - mbr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kpsyugo
.
Contenuto della cartella 'Scheduled Tasks'
2009-11-07 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-02 18:24]
2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-02 18:25]
2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-02 18:25]
.
.
------- Scansione supplementare -------
.
uStart Page =
hxxp://www.google.it/IE: Aggiungi a PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\5lzs3l62.default\
FF - prefs.js: browser.search.selectedEngine - Google Search Community
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.it/FF - component: c:\programmi\Mozilla Firefox\components\SiteVacuumXPCOM.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\programmi\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
HKCU-Run-PMCRemote - (no file)
HKLM-Run-<NO NAME> - (no file)
AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\programmi\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-11-07 14:23
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spwm.sys >>UNKNOWN [0x8A612938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netatapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB7DFFB40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programmi\Diskeeper\DkService.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Ora fine scansione: 2009-11-07 14.26.30 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-11-07 13:26
Pre-Run: 220 173 463 552 byte disponibili
Post-Run: 220 040 007 680 byte disponibili
- - End Of File - - 5A4B22043BA5AFC3D678D523E8DC60E7