Forse sono riuscito ad eliminare kiqae con reg-cleaner in modalità provvisoria. Comunque, ho lanciato Combofix che mi ha disinstallato Webmediaplayer. Probabilmente la presenza di kiqae dipendeva dal Webmediaplayer? Il log di Combofix è questo:
ComboFix 08-12-26.03 - Asmodeo 2008-12-28 10.30.03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1023.631 [GMT 1:00]
Eseguito da: c:\documents and settings\Asmodeo\Desktop\ComboFix.exe
AV: Sistema Antivirus NOD32 2.70 *On-access scanning disabled* (Outdated)
* Creato nuovo punto di ripristino
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Desktop\webmediaplayer.lnk
c:\documents and settings\All Users\Menu Avvio\Programmi\WebMediaPlayer
c:\documents and settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\Condizioni generali.url
c:\documents and settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\Disinstalla.lnk
c:\documents and settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\Riservatezza.url
c:\documents and settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\WebMediaPlayer.lnk
c:\documents and settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\Website.url
c:\documents and settings\Asmodeo\Impostazioni locali\Dati applicazioni\kiqae.dat
c:\documents and settings\Asmodeo\Impostazioni locali\Dati applicazioni\kiqae.exe
c:\documents and settings\Asmodeo\Impostazioni locali\Dati applicazioni\kiqae_nav.dat
c:\documents and settings\Asmodeo\Impostazioni locali\Dati applicazioni\kiqae_navps.dat
c:\programmi\webmediaplayer
c:\programmi\webmediaplayer\resources\wmp_translation_file.xml
c:\programmi\webmediaplayer\skins\classic.skn
c:\programmi\webmediaplayer\sqlite3.dll
c:\programmi\webmediaplayer\uninst.exe
c:\programmi\webmediaplayer\WebMediaPlayer.exe
.
((((((((((((((((((((((((( Files Creati Da 2008-11-28 al 2008-12-28 )))))))))))))))))))))))))))))))))))
.
2008-12-27 17:57 . 2008-09-21 18:13 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2008-12-27 17:57 . 2008-09-21 18:13 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2008-12-27 17:57 . 2008-09-21 18:13 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2008-12-27 17:57 . 2008-09-21 16:21 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2008-12-27 17:57 . 2008-09-21 18:13 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2008-12-27 17:57 . 2008-12-28 10:31 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2008-12-27 17:57 . 2008-09-21 18:13 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2008-12-27 17:57 . 2008-09-21 18:13 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2008-12-27 17:57 . 2008-12-27 17:57 <DIR> d-------- c:\documents and settings\Administrator
2008-12-18 10:08 . 2008-12-18 10:08 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\wmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 19:45 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-12-21 15:20 --------- d-----w c:\programmi\SpywareBlaster
2008-11-21 23:48 --------- d-----w c:\documents and settings\Asmodeo\Dati applicazioni\dvdcss
2008-11-09 00:28 --------- d-----w c:\documents and settings\Asmodeo\Dati applicazioni\uTorrent
2008-10-23 12:59 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:04 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2001-11-23 04:08 712,704 ----a-r c:\windows\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-08-19 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"D-Link AirPlus XtremeG"="c:\programmi\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 1011712]
"ANIWZCS2Service"="c:\programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2008-09-23 949376]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-09-23 98304]
"DAEMON Tools-1033"="c:\programmi\D-Tools\daemon.exe" [2004-08-22 81920]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - c:\programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
VIA RAID TOOL.lnk - c:\programmi\VIA\RAID\raid_tool.exe [2008-09-21 565248]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-09-22 15424]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-22 450400]
*Newly Created Service* - PROCEXP90
.
- - - - ORFÃOS REMOVIDOS - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Supplementare di scansione -------
.
uStart Page =
www.fastweb.itIE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {B3025DD0-2AA5-4586-923B-998400D7CC78} = 62.101.81.80,1.253.128.33
FF - ProfilePath - c:\documents and settings\Asmodeo\Dati applicazioni\Mozilla\Firefox\Profiles\c312f6qs.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-28 10:31:22
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\imon.dll
c:\programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-12-28 10.32.40
ComboFix-quarantined-files.txt 2008-12-28 09:32:02
Pre-Run: 69.790.339.072 byte disponibili
Post-Run: 71,307,988,992 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
140 --- E O F --- 2008-12-17 19:15:22
Grazie per l'aiuto.