Grazie LUKE57,
Eseguito COMBOFIX questa mattina, ti posto il log:
ComboFix 08-10-06.08 - CITT@DINOPIU 2008-10-08 8:19:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.230 [GMT 2:00]
Eseguito da: C:\Documents and Settings\CITT@DINOPIU\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\Documents and Settings\All Users\Dati applicazioni\imgdoc2.dll
C:\itsduel.exe
C:\njibyekk.com
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\ckvo2.dll
C:\yew.bat
.
((((((((((((((((((((((((( Files Creati Da 2008-09-08 al 2008-10-08 )))))))))))))))))))))))))))))))))))
.
2008-10-07 11:35 . 2008-10-07 11:35 22,368 --a------ C:\Documents and Settings\CITT@DINOPIU\yddoxqif.exe
2008-10-06 08:41 . 2008-10-06 08:47 325,372 --a------ C:\output.avi
2008-10-02 09:01 . 2008-10-02 09:01 <DIR> d-------- C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\NCH Software
2008-10-02 09:00 . 2008-10-02 09:01 <DIR> d-------- C:\Programmi\NCH Software
2008-10-02 09:00 . 2008-10-02 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\NCH Software
2008-09-30 16:38 . 2008-09-30 16:38 <DIR> d-------- C:\Programmi\OpenVideoConverter
2008-09-23 17:50 . 2008-09-23 17:50 <DIR> d-------- C:\Documents and Settings\CITT@DINOPIU\.drdivx2
2008-09-18 11:33 . 2008-09-18 11:33 58 --a------ C:\CompressAvi.ini
2008-09-18 11:17 . 2008-09-18 11:21 <DIR> d-------- C:\Programmi\AVICalc2
2008-09-08 10:38 . 2008-09-08 12:13 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-08 06:15 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-10-08 06:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-07 16:22 --------- d-----w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\Free Download Manager
2008-10-07 12:52 --------- d-----w C:\Programmi\eMule
2008-10-02 08:21 --------- d-----w C:\Programmi\Eset
2008-10-01 11:18 --------- d-----w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\U3
2008-09-30 10:04 --------- d-----w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\dvdcss
2008-09-25 06:45 --------- d-----w C:\Programmi\Google
2008-09-23 15:50 --------- d-----w C:\Programmi\DivX
2008-09-18 10:39 --------- d-----w C:\Programmi\XVid;-)
2008-09-18 09:43 --------- d-----w C:\Programmi\AviSynth 2.5
2008-09-04 13:53 --------- d-----w C:\Documents and Settings\Adminestrator\Dati applicazioni\Watchtower
2008-09-02 08:57 --------- d-----w C:\Documents and Settings\Adminestrator\Dati applicazioni\AdobeUM
2008-08-28 10:32 --------- d-----w C:\Programmi\Gabest
2008-08-27 10:50 --------- d-----w C:\Programmi\DVDx
2008-08-27 10:09 --------- d-----w C:\Programmi\QuickTime
2008-08-27 10:09 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-08-27 10:07 --------- d-----w C:\Programmi\Apple Software Update
2008-08-27 10:07 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2008-04-11 11:00 72,088 ----a-w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 917,504 2006-03-30 11:53:16 C:\Programmi\Eset\bak\nod32kui.exe
----a-w 949,376 2008-07-25 06:26:46 C:\Programmi\Eset\nod32kui.exe
----a-w 32,881 2003-11-19 16:48:14 C:\Programmi\Java\j2re1.4.2_03\bin\bak\jusched.exe
----a-w 36,864 2002-12-17 14:39:06 C:\Programmi\Scansoft\PaperPort\bak\IndexSearch.exe
----a-w 45,108 2002-12-17 14:11:44 C:\Programmi\Scansoft\PaperPort\bak\pptd40nt.exe
----a-w 15,360 2004-08-19 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-19 11:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 118,784 2004-08-20 19:51:14 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 155,648 2004-08-20 19:55:14 C:\WINDOWS\system32\bak\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [N/A]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]
"fsm"="" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2007-05-15 35328]
"MFServices"="C:\Programmi\Companion Suite LL\MFServices.exe" [2004-07-08 147456]
"MFPrintServer"="C:\Programmi\Companion Suite LL\MFPrintServer.exe" [N/A]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2008-07-25 949376]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2008-05-27 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]
C:\Documents and Settings\CITT@DINOPIU\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-22 110592]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-22 110592]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Service Manager.lnk - C:\MSSQL7\Binn\sqlmangr.exe [2006-03-30 110592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= L3codecp.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
R1 mfxnt;mfxnt;C:\WINDOWS\system32\drivers\mfxnt.sys [2004-07-09 61288]
S2 gupdate1c91eda38f52124;Google Update Service (gupdate1c91eda38f52124);C:\Programmi\Google\Update\GoogleUpdate.exe [2008-09-25 133104]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S3 HttpUsb;XML interface;C:\WINDOWS\system32\Drivers\HttpUsb.sys [2004-07-09 33769]
S3 UsbItf;MF F@X activities;C:\WINDOWS\system32\Drivers\UsbItf.sys [2004-07-09 10240]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{009ad61a-0146-11dd-84a1-001320358366}]
\Shell\AutoRun\command - E:\xyw9tmdj.com
\Shell\explore\Command - E:\xyw9tmdj.com
\Shell\open\Command - E:\xyw9tmdj.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1af8dd8c-06cd-11dd-84a8-001320358366}]
\Shell\AutoRun\command - E:\6l6w8.com
\Shell\explore\Command - E:\6l6w8.com
\Shell\open\Command - E:\6l6w8.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23c6662d-c4d0-11dc-8466-001320358366}]
\Shell\AutoRun\command - E:\pv6mxu.bat
\Shell\explore\Command - E:\pv6mxu.bat
\Shell\open\Command - E:\pv6mxu.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34c8a2c6-4bf0-11dd-84e3-001320358366}]
\Shell\AutoRun\command - E:\b0j6j16.bat
\Shell\explore\Command - E:\b0j6j16.bat
\Shell\open\Command - E:\b0j6j16.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{350170c7-2264-11dd-84bc-001320358366}]
\Shell\AutoRun\command - xp19.com
\Shell\explore\Command - xp19.com
\Shell\open\Command - xp19.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36278242-e80a-11db-835b-001320358366}]
\Shell\AutoRun\command - E:\22wcb21o.exe
\Shell\explore\Command - E:\22wcb21o.exe
\Shell\open\Command - E:\22wcb21o.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36278246-e80a-11db-835b-001320358366}]
\Shell\AutoRun\command - E:\olb1iimw.bat
\Shell\explore\Command - E:\olb1iimw.bat
\Shell\open\Command - E:\olb1iimw.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3af1eaab-fa51-11dc-849a-001320358366}]
\Shell\AutoRun\command - E:\nlblkhq.com
\Shell\explore\Command - E:\nlblkhq.com
\Shell\open\Command - E:\nlblkhq.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e51d577-c802-11dc-8468-001320358366}]
\Shell\AutoRun\command - E:\njibyekk.com
\Shell\explore\Command - E:\njibyekk.com
\Shell\open\Command - E:\njibyekk.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ef8017d-ce33-11db-8340-001320358366}]
\Shell\AutoRun\command - E:\1yl2d.bat
\Shell\explore\Command - E:\1yl2d.bat
\Shell\open\Command - E:\1yl2d.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2c1481-ef0b-11db-8363-001320358366}]
\Shell\AutoRun\command - E:\tyktjfww.exe
\Shell\explore\Command - E:\tyktjfww.exe
\Shell\open\Command - E:\tyktjfww.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50f0d3e2-9b0a-11db-82e1-001320358366}]
\Shell\AutoRun\command - E:\6l6w8.com
\Shell\explore\Command - E:\6l6w8.com
\Shell\open\Command - E:\6l6w8.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f181c55-fc9f-11dc-849d-001320358366}]
\Shell\AutoRun\command - E:\q.com
\Shell\explore\Command - E:\q.com
\Shell\open\Command - E:\q.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ee96a18-b6a0-11db-8321-001320358366}]
\Shell\AutoRun\command - E:\81d9.exe
\Shell\explore\Command - E:\81d9.exe
\Shell\open\Command - E:\81d9.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76dcd013-4738-11dd-84df-001320358366}]
\Shell\AutoRun\command - E:\1u0o8bnq.cmd
\Shell\explore\Command - E:\1u0o8bnq.cmd
\Shell\open\Command - E:\1u0o8bnq.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{798ac2ca-ac89-11dc-8450-001320358366}]
\Shell\AutoRun\command - E:\olb1iimw.bat
\Shell\explore\Command - E:\olb1iimw.bat
\Shell\open\Command - E:\olb1iimw.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca91741-b472-11dc-8457-001320358366}]
\Shell\AutoRun\command - E:\xmnm2.cmd
\Shell\explore\Command - E:\xmnm2.cmd
\Shell\open\Command - E:\xmnm2.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f9f8bc1-428c-11dd-84da-001320358366}]
\Shell\Auto\command - E:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a49d918b-23ae-11dc-83a4-001320358366}]
\Shell\AutoRun\command - E:\kqnns.exe
\Shell\explore\Command - E:\kqnns.exe
\Shell\open\Command - E:\kqnns.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa4342f5-e050-11dc-8481-001320358366}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa4342f6-e050-11dc-8481-001320358366}]
\Shell\AutoRun\command - ino6.com
\Shell\explore\Command - ino6.com
\Shell\open\Command - ino6.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8a9a24-a23a-11dc-8446-001320358366}]
\Shell\AutoRun\command - E:\olb1iimw.bat
\Shell\explore\Command - E:\olb1iimw.bat
\Shell\open\Command - E:\olb1iimw.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8a9a26-a23a-11dc-8446-001320358366}]
\Shell\AutoRun\command - E:\yew.bat
\Shell\explore\Command - E:\yew.bat
\Shell\open\Command - E:\yew.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{addcd1cd-2d45-11dd-84c8-001320358366}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe
.
Contenuto della cartella 'Scheduled Tasks'
2008-08-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
- C:\Programmi\Google\Update\GoogleUpdate.exe [2008-09-25 08:44]
.
- - - - ORFÃOS REMOVIDOS - - - -
ShellExecuteHooks-{C5F43BEF-CE2F-46D8-AFE6-A647BACD1F09} - C:\WINDOWS\system32\Bitkv0.dll
.
------- Supplementare di scansione -------
.
R0 -: HKCU-Main,Start Page =
https://172.16.16.100/internet/internet.cgiR1 -: HKCU-Internet Connection Wizard,ShellNext =
hxxp://www.euro.dell.com/O8 -: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Scarica con Free Download Manager -
file://C:\Programmi\Free Download Manager\dllink.htm
O8 -: Scarica i video con Free Download Manager -
file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 -: Scarica selezionati con Free Download Manager -
file://C:\Programmi\Free Download Manager\dlselected.htm
O8 -: Scarica tutto con Free Download Manager -
file://C:\Programmi\Free Download Manager\dlall.htm
O17 -: HKLM\CCS\Interface\{CDCA59C7-AEFF-4A14-999E-7FD9EF90469F}: NameServer = 172.16.16.100
O16 -: Microsoft XML Parser for Java -
file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-10-08 08:25:44
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
PROCESSO: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
C:\Programmi\Dell\OpenManage\Client\Iap.exe
C:\Programmi\Eset\nod32krn.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Ora fine scansione: 2008-10-08 8:31:11 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-10-08 06:31:07
Pre-Run: 5.709.459.456 byte disponibili
Post-Run: 6,094,200,832 byte disponibili
249 --- E O F --- 2008-09-10 12:03:16