Questo è il log di ComboFix
ComboFix 08-11-29.03 - AAB03 2008-11-30 11:26:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1219 [GMT 1:00]
Eseguito da: c:\documents and settings\aab03\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\aab03\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
* Resident AV is active
.
((((((((((((((((((((((((( Files Creati Da 2008-10-28 al 2008-11-30 )))))))))))))))))))))))))))))))))))
.
2008-11-30 10:43 . 2008-11-30 10:45 <DIR> d-------- c:\temp\p1
2008-11-30 09:20 . 2008-11-30 09:20 1 --a------ c:\windows\system32\uniq.tll
2008-11-28 06:45 . 2008-11-28 06:45 65,536 --a------ c:\windows\system32\khfCurSM.dll
2008-11-28 06:45 . 2008-11-28 06:45 38,400 --a------ c:\windows\system32\fccdcski.dll.ren
2008-11-28 06:45 . 2008-11-27 13:19 32,256 --a------ c:\windows\system32\frmwrk32.exe
2008-11-28 06:45 . 2008-11-30 11:11 4,785 --a------ c:\windows\system32\warning.gif
2008-11-28 06:45 . 2008-11-30 11:11 3,104 --a------ c:\windows\system32\ntdll64.exe
2008-11-28 06:45 . 2008-11-30 11:11 1,349 --a------ c:\windows\system32\ahtn.htm
2008-11-28 06:45 . 2008-11-30 09:20 1 --a------ c:\windows\system32\test.ttt
2008-11-26 10:58 . 2008-11-26 10:58 297,697 --a------ c:\windows\system32\SpywareRemover.exe
2008-11-26 10:48 . 2008-11-26 10:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 14:44 . 2008-11-24 18:07 <DIR> d-------- c:\temp\SCANSIONI
2008-11-22 21:36 . 2008-11-22 21:36 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\NCH Swift Sound
2008-11-22 21:36 . 2008-11-22 21:36 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\NCH Software
2008-11-22 21:36 . 2008-11-22 21:36 <DIR> d-------- c:\documents and settings\aab03\Dati applicazioni\NCH Swift Sound
2008-11-22 21:36 . 2008-11-22 21:36 <DIR> d-------- c:\documents and settings\aab03\Dati applicazioni\NCH Software
2008-11-10 11:52 . 2008-11-27 16:27 <DIR> d-------- c:\documents and settings\aab03\Dati applicazioni\MechCAD
2008-11-06 10:36 . 2008-11-06 10:36 141 --a------ c:\windows\system32\AddPort.ini
2008-11-06 10:34 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-06 10:34 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2008-11-06 10:30 . 2008-11-06 10:30 <DIR> d-------- c:\programmi\File comuni\SWF Studio
2008-11-04 18:42 . 2008-11-04 18:42 <DIR> d-------- c:\programmi\File comuni\Macrovision Shared
2008-11-04 18:42 . 2008-11-04 18:43 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2008-11-04 18:03 . 2008-11-21 19:03 <DIR> d-------- c:\temp\p
2008-10-22 20:07 . 2008-10-23 08:36 <DIR> d-------- c:\documents and settings\aab03\Dati applicazioni\Any Video Converter
2008-10-22 10:46 . 2008-10-22 10:46 <DIR> d-------- c:\documents and settings\aab03\Dati applicazioni\OpenOffice.org
2008-10-22 09:33 . 2008-10-22 09:33 <DIR> d-------- c:\documents and settings\aab03\Dati applicazioni\ODF
2008-10-02 08:21 . 2008-11-29 08:55 <DIR> d-------- c:\documents and settings\aab03\Dati applicazioni\NJStar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 10:14 --------- d-----w c:\documents and settings\aab03\Dati applicazioni\Skype
2008-11-30 08:20 --------- d-----w c:\documents and settings\aab03\Dati applicazioni\skypePM
2008-11-29 09:08 --------- d-----w c:\programmi\Crawler
2008-11-29 09:05 --------- d-----w c:\programmi\Red Kawa
2008-11-29 07:56 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-28 18:28 --------- d-----w c:\programmi\Bus
2008-11-28 14:26 --------- d-----w c:\programmi\RealAV
2008-11-28 08:43 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-11-28 08:30 --------- d-----w c:\programmi\Spybot - Search & Destroy
2008-11-28 08:18 --------- d-----w c:\programmi\Bonjour
2008-11-28 06:09 --------- d-----w c:\programmi\eMule
2008-11-28 05:44 --------- d-----w c:\programmi\eToro
2008-11-27 21:16 --------- d-----w c:\programmi\TomTom DesktopSuite
2008-11-26 09:48 --------- d-----w c:\programmi\iTunes
2008-11-26 09:48 --------- d-----w c:\programmi\iPod
2008-11-25 17:23 --------- d-----w c:\documents and settings\aab03\Dati applicazioni\Vso
2008-11-22 20:36 --------- d-----w c:\programmi\NCH Swift Sound
2008-11-22 20:36 --------- d-----w c:\programmi\NCH Software
2008-11-21 16:36 --------- d-----w c:\programmi\Readiris Pro 11 Corporate Edition
2008-11-06 09:37 --------- d-----w c:\programmi\Hewlett-Packard
2008-11-04 17:43 --------- d-----w c:\programmi\File comuni\Adobe
2008-10-25 07:29 --------- d-----w c:\programmi\Microsoft Silverlight
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 19:07 --------- d-----w c:\programmi\Any Video Converter
2008-10-22 18:18 --------- d-----w c:\programmi\SourceTec
2008-10-22 18:14 --------- d-----w c:\programmi\VSO
2008-10-22 17:53 --------- d-----w c:\programmi\DVD Decrypter
2008-10-22 09:44 --------- d-----w c:\programmi\OpenOffice.org 3
2008-10-22 09:44 --------- d-----w c:\programmi\JRE
2008-10-22 08:33 --------- d-----w c:\programmi\OD Fellowship
2008-10-22 08:25 --------- d-----w c:\programmi\Java
2008-10-16 14:22 --------- d-----w c:\programmi\MSECache
2008-10-15 08:16 --------- d-----w c:\programmi\MultiProxy
2008-10-07 14:47 --------- d--h--w c:\programmi\FX Uninstall Information
2008-10-02 15:31 --------- d-----w c:\programmi\Google
2008-10-01 11:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-29 13:18 --------- d-----w c:\programmi\Look@LAN
2008-03-21 12:49 784 ----a-w c:\documents and settings\aab03\Dati applicazioni\mpauth.dat
2008-02-18 10:22 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2007-11-18 06:27 47,360 ----a-w c:\documents and settings\aab03\Dati applicazioni\pcouffin.sys
2007-11-12 13:23 81,920 ----a-w c:\documents and settings\aab03\Dati applicazioni\ezpinst.exe
.
((((((((((((((((((((((((((((( snapshot@2008-11-30_10.00.38.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-30 10:29:49 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6a8.dat
+ 2008-11-30 10:29:50 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6f0.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"LightScribe Control Panel"="c:\programmi\File comuni\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-09-06 413696]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]
"TomTomHOME.exe"="c:\programmi\TomTom HOME 2\HOMERunner.exe" [2008-11-25 234856]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-08-08 25507624]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"RealAV.exe"="c:\programmi\RealAV\RealAV.exe" [2008-11-28 2518528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"PDF Complete"="c:\programmi\PDF Complete\pdfsty.exe" [2007-05-08 331552]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"hpWirelessAssistant"="c:\programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QlbCtrl"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"HP Software Update"="c:\programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Cpqset"="c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"WatchDog"="c:\programmi\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2007-10-19 949376]
"NcpBudget"="c:\programmi\WatchGuard\Mobile VPN\ncpbudgt.exe" [2008-01-17 401920]
"NcpPopup"="c:\programmi\WatchGuard\Mobile VPN\ncppopup.exe" [2007-11-07 535040]
"NcpMonitor"="c:\programmi\WatchGuard\Mobile VPN\ncpmon.exe" [2008-04-04 3439616]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acrobat Assistant 8.0"="c:\programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SpywareCleaner"="c:\windows\system32\SpywareRemover.exe" [2008-11-26 297697]
"MsmqIntCert"="mqrt.dll" [2007-07-06 c:\windows\system32\mqrt.dll]
"Framework Windows"="frmwrk32.exe" [2008-11-27 c:\windows\system32\frmwrk32.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\aab03\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 3.0.lnk - c:\programmi\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]
OpenVPN GUI.lnk - c:\programmi\OpenVPN\bin\openvpn-gui-1.0.3.exe [2008-01-30 104712]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-11-04 295606]
Adobe Acrobat Synchronizer.lnk - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Avvio rapido HP Photosmart Premier.lnk - c:\programmi\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
DVD Check.lnk - c:\programmi\InterVideo\DVD Check\DVDCheck.exe [2007-10-18 192512]
Gestione servizi.lnk - c:\programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp ASWLNPkg scecli
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-04-22 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-03-29 13696]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-04-22 5808]
R2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe -k Cognizance [2004-08-19 14336]
R2 DSynchronizeSrv;DSynchronize Service;"c:\documents and settings\aab03\Documenti\PERSONALE\Dsynchronize\DSynchronize.exe" [2007-10-18 164352]
R2 HpFkCryptService;Drive Encryption Service;"c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [2007-04-22 221184]
R2 MSSEARCH;Microsoft Search;"c:\programmi\File comuni\System\MSSearch\Bin\mssearch.exe" [2007-10-18 73728]
R2 ncpclcfg;ncpclcfg;c:\programmi\WatchGuard\Mobile VPN\ncpclcfg.exe [2008-07-02 81920]
R2 ncprwsnt;ncprwsnt;c:\programmi\WatchGuard\Mobile VPN\ncprwsnt.exe [2008-07-02 1036296]
R2 NcpSec;NcpSec;c:\programmi\WatchGuard\Mobile VPN\ncpsec.exe [2008-07-02 45056]
R2 pdfcDispatcher;PDF Document Manager;c:\programmi\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [2007-07-24 540448]
R2 rwsrsu;RwsRsu;c:\programmi\WatchGuard\Mobile VPN\rwsrsu.exe [2008-07-02 266240]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2006-09-19 36608]
R3 NcpFiltMP;NcpFiltMP;c:\windows\system32\DRIVERS\ncpvaxp.sys [2008-07-02 80040]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\DRIVERS\tap0901.sys [2008-01-30 25216]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe -k Cognizance [2004-08-19 14336]
S2 kt_openoffice;KnowledgeTree OpenOffice;"c:\progra~1\ktdms\winserv.exe" []
S2 KTLuceneServer;KTLuceneServer;c:\progra~1\ktdms\knowledgeTree\bin\luceneserver\KTLuceneService.exe []
S2 ktscheduler;ktdmsScheduler;c:\programmi\ktdms\knowledgeTree\bin\win32\taskrunner.bat []
S3 Crystal Query Server;Crystal Query Server;"c:\programmi\Seagate Software\Query Server\querysrv.exe" -service [2007-10-18 375296]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\programmi\NOS\bin\getPlus_HelperSvc.exe [2008-09-17 33752]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\DRIVERS\KS-959.sys [2008-01-07 19034]
S3 NcpFilt;Ncp Filter Service;c:\windows\system32\DRIVERS\ncpvaxp.sys [2008-07-02 80040]
S3 ncpvaxp;NCP Secure Client Virtual Adapter Driver;c:\windows\system32\DRIVERS\ncpvaxp.sys [2008-07-02 80040]
S3 stusb2ir;USB 2.0 IrDA Bridge;c:\windows\system32\DRIVERS\stusb2ir.sys [2008-08-07 40856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
- - - - ORFÃOS REMOVIDOS - - - -
BHO-{aa72e7be-f955-424f-bb29-918fe16bd76a} - (no file)
BHO-{CB0BBAC5-83B1-4DC8-9E90-928C5CA7645C} - (no file)
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-30 11:30:13
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe? ??????????T??????????????|?M?|?????M?|&?@
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\programmi\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ktscheduler]
"ImagePath"="c:\programmi\ktdms\knowledgeTree\bin\win32\taskrunner.bat "
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'lsass.exe'(328)
c:\windows\SbHpNp.dll
c:\windows\system32\imon.dll
c:\programmi\Eset\pr_imon.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\msdtc.exe
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\MICROS~4\MSSQL\Binn\sqlservr.exe
c:\programmi\Microsoft Analysis Services\Bin\msmdsrv.exe
c:\programmi\Eset\nod32krn.exe
c:\programmi\PDF Complete\pdfsvc.exe
c:\windows\system32\mqsvc.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\mqtgsvc.exe
c:\programmi\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
.
Ora fine scansione: 2008-11-30 11:34:58 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-11-30 10:34:43
ComboFix2.txt 2008-11-30 09:01:06
Pre-Run: 15,542,140,928 byte disponibili
Post-Run: 15,535,157,248 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
255 --- E O F --- 2008-11-16 10:08:06
Ora non mi trova più VirtuMonde, bensì mi continua a trovare win32.winlagons.co.
sfondo del desktop con la scritta "WArning" e non lascia fare assolutamente nulla.....
e continua ad aprirsi il sito
http://real-av.org/?code=3Ora sto eseguendo malwarebytes........